The Taddong Security Blog has a great list of vulnerable web applications you can play with to learn and test your web hacking knowledge and pen-testing tools, handcuffs not included. In other words, you can enter and stay at the playground without going to jail.
Some of them you download and install on your own systems, some of them you run as virtual machines (VMs) or ISOs on your systems, and others are available on the web for your malfeasance pleasure.
The apps are listed in 3 categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically. Get it here.
Another way to avoid jail: get a GOOJ card.