Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware vSphere Hypervisor (ESXi) products (along with their older and commercial products).
Led by Chuck Willis (chuck (at) securityfoundry (dot) com) and sponsored by Mandiant (www.mandiant.com).
For more information on the project, see the Project User Guide or you can see a 20 minute video demonstration on Hacker Hotshots. To contribute, report bugs, or see / add to the list of known vulnerabilities in the project application, see Getting Involved.
Note - This project is a collection of open source software from various sources, along with some custom modifications and pieces to make it all work together. The license for each component may vary. The GPLv2 license listed on the left for this project is only for any custom modifications and code created for this project.