The Taddong Security Blog has a great list of vulnerable web applications you can play with to learn and test your web hacking knowledge and pen-testing tools, handcuffs not included. In other words, you can enter and stay at the playground without going to jail.
Some of them you download and install on your own systems, some of them you run as virtual machines (VMs) or ISOs on your systems, and others are available on the web for your malfeasance pleasure.
The apps are listed in 3 categories: offline, VMs/ISOs, and online. Each list has been ordered alphabetically. Get it here.
Another way to avoid jail: get a GOOJ card.
ITauditSecurity 
Hi Mack, adding The Hacker Games to the list seems to be out of scope (it is just for web pen-testing environments), and specially because it tries to counterattack the tester ;). Anyway, thanks for the contribution!
LikeLike
The above comment is in response to a unpublished comment I left at Taddong’s blog….
Taddong, I published your comment because I thought the clarification you made was important. Thanks!
The hacker games are at http://www.scriptjunkie.us/2012/04/the-hacker-games/, but be careful!
LikeLike