We all know DVL, but i never heard of DVWA. Just came across this one, and cant remember if anybody mentioned it before so here it goes.

some info:
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

the link:
http://www.dvwa.co.uk/

i'm adding this to my personal pentest lab soon, so ill check it out if it is any good, so for this one: no news is good news!

I believe this is included in the Web Security Dojo Distro.
http://www.mavensecurity.com/web_security_dojo/

Not to hijack the thread, but thought that it's worth mentioning that there is a downloadable ISO image (approx 11.2 MB)  from Badstore which is very easy to set up and configure and is vulnerable to various attacks such as:

Cross Site Scripting (XSS)
SQL Injection
Command Injection
Cookie/Session Poisoning
Parameter/Form Tampering
Buffer Overflow
Directory Traversal/Forceful Browsing
Cookie Snooping
Log Tampering
Error Message Interception
Denial of Service

http://www.badstore.net/downloads/return.htm

Like ketchup stated, DVWA is written by the EHNetter Ryan Dewhurst http://twitter.com/ethicalhack3r If I'm correct then EHNet was the first place it was publicly announced. Jason Haddix and Laz3r's Web application lab tutorial provided it the necessary publicity.

I believe webgoat is written in java. so in addition to normal attacks(xss, csrf) they have java related attacks like thread race conditions.

I got it figured out.. My solution even works on the 'high' setting. I didn't have to mess with the .htaccess after all. I'm slowly getting there.

What’s new?
The vulnerability help page has been improved.
We now display the logged on username along with the vulnerability level and php-ids status.
Blind SQL injection has been implemented.
We now have official documentation.
You can now compare all vulnerable source code in one page with the ‘view all’ button.
The whole theme has been redesigned, including a new great looking logo.
Many bug fixes and small changes throughout the application.



But that’s not all, we have continued the work that Duncan Alderson had done on the 1.0.6 LiveCD, as the LiveCD proved to be a great success. The new LiveCD is not only a vulnerable web application but also a badly configured web server which includes many server misconfiguration.



DVWA 1.0.7 LiveCD specs:

Ubuntu Server 10.04 minimal
XAMPP Linux 1.7.3a (Apache 2.2.14, MySQL 5.1.41, PHP 5.3.1)
WebDav
Fluxbox (optional)
Firefox 3.6.8
Firefox addons include XSS Me, SQL Inject Me, Access Me, Tamper Data, REST Client, HackBar, ShowIP, Useragent Switcher, Firebug, NoScript and more.


The DVWA 1.0.7 LiveCD is designed for the beginner to jump right in to learning web application security or a quick way to demo the severities of a vulnerability to your managers. The great thing about DVWA is its flexibility, whether you want to learn, teach, test or demo, DVWA makes it easy.

That's a great list, thanks dynamik!