really a long time without a new post, but hopefully this will change in the future.
In this post I was listing some vulnerable VMs that can be used for pentesting at home. There are also several vulnerable Web Applications available, that can be used for pentesting. I've found a really great overview of vulnerable Web Applications.
I will use for local testing now Damn vulnerable Web Application (DVWA)
Here is a short description about DVWA copied from the DVWA website:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.So the only thing you will need, after downloading DVWA is Apache/PHP/MySQL environment. This can be easily realized with XAMPP, as it is a full package containing Apache Webserver with PHP and a MySQL Database and is available for a lot of plattforms (Mac OS X/ Windows / Linux / Solaris).
Hopefully I will have some time to execute a pentest against DVWA and to post some findings about it :-)