I have Often seen Beginners who will pursue their carrier in Application Security always have less Hands on experience in testing Web Applications below are the links Would help them to learn and Improve their skills in Application Security Testing.

Vulnerable Webapplications

1) Jarlsberg App

http://jarlsberg.appspot.com/start

2) OWASP Broken Web Applications project

http://code.google.com/p/owaspbwa/wiki/ProjectSummary
Intentionally Vulnerable Applications:
•OWASP WebGoat version 5.3-SNAPSHOT (Java)
•OWASP Vicnum version 1.4 (PHP/Perl)
•Mutillidae version 1.3 (PHP)
•Damn Vulnerable Web Application version 1.06 (PHP)
•Ghost (PHP)
•Peruggia version 1.2 (PHP)
•OWASP CSRFGuard Test Application version 2.2 (Java)
•OWASP AppSensor Demo Application (Java)
•Mandiant Struts Forms (Java/Struts)
•Simple ASP.NET Forms (ASP.NET/C#)
•Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

Old Versions of Real Applications:
•WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from www.oldapps.com)
•phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from www.oldapps.com)
•Yazd version 1.0 (Java, released February 20, 2002)

3)Web Security Dojo

http://www.mavensecurity.com/web_security_dojo/

Targets include:

•OWASP’s WebGoat
•Damn Vulnerable Web App
•Hacme Casino
•OWASP InsecureWebApp
•simple training targets by Maven Security (including REST and JSON)
Tools:

•Burp Suite (free version)
•w3af
•OWASP Skavenger
•OWASP Dirbuster
•Paros
•Webscarab
•Ratproxy
•sqlmap
•helpful Firefox add-ons

4)SPI Dynamics (live) – http://zero.webappsecurity.com/

5)Cenzic (live) – http://crackme.cenzic.com/

6)Watchfire (live) – http://demo.testfire.net/

7)Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com

8)PCTechtips Challenge (live) – http://pctechtips.org/hacker-challenge-pwn3d-the-login-form/

9)The Butterfly Security Project – http://sourceforge.net/projects/thebutterflytmp/files/ButterFly%20Project

10)Hacme Casino – http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm

11)Hacme Bank 2.0 – http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

12)Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html

14)Hacme Books – http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm

15)Hacme Travel – http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

16)Hacme Shipping – http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

17)OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator

18)Moth – http://www.bonsai-sec.com/en/research/moth.php

19)Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/

20)SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/

21)BadStore – http://www.badstore.net/

22)WebMaven/Buggy Bank – http://www.mavensecurity.com/webmaven