The provided web application Gruyere - holey cheese - shows with own hacking and source code analysis many vulnerabilities. Google Code University exercises are to solve from attackers view. Reading source code and using the tools (for me curl and WebScarab) is like a game with the wow factor if the next security hole is found. This makes learning fun and the solved problems are easier to remember.
I analyzed my own web application zitat-service.de (quotation service for web pages) simultaneously and solved some vulnerabilities:
Including my own web application fixes, but without Ajax, it took me 2 days to finish the track with: