When it comes to application security, you can usually tell people who have actually exploited vulnerabilities from those who have only a conceptual grasp of the subject. Seeing exploits in action goes a long way towards making security issues real. So I've started a series of short tutorials called Hands-on Web Security using live, exploitable vulnerabilities to illustrate the concepts behind them. I hope to cover the major types of flaws afflicting web apps, one per article. Each flaw will have an explanation of the problem, live holes to be exploited, and recommendations on how to avoid the problem.
By the way, the fine people at OWASP have an application along those lines. It's called the Web Goat Project. The main difference is that you have to download it and run it on your computer, and it's geared towards security people and more advanced exploitation, whereas my stuff is geared towards developers and architects.