Even though OWASP BWA is one of the most complete collections of vulnerable web applications for testing purposes, there are other virtual machines and web applications that could complement it as they contain different applications, frameworks, or configurations. The following are worth a try:
- OWASP Bricks, included in BWA, also has an online version: http://sechow.com/bricks/index.html.
- Hackazon (http://hackazon.webscantest.com/) is an online testing range meant to simulate a modern web application. According to its Wiki (https://github.com/rapid7/hackazon/wiki), it can also be found as a virtual machine OVA file.
- Acunetix's Vulnweb (http://www.vulnweb.com/) is a collection of vulnerable web applications, each one using a different technology (PHP, ASP, JSP, HTML5) created to test the effectiveness of the Acunetix web vulnerability scanner.
- Testfire (http://testfire.net/) is published by Watchfire and simulates an online banking application. It uses the .NET framework.
- Hewlett Packard also has a public testing site created to demonstrate the effectiveness of its Fortify WebInspect products; it is called ZeroBank (http://zero.webappsecurity.com/).