I am looking for a very insecure ASP.NET application. Ideally i'm looking for an application that was written by a noob who has made a lot of security mistakes. If the app has a MS-SQL back-end that would be a bonus. I know of two cool projects for PHP and J2EE which fill my needs. Do you know anything like this for ASP.NET?
I know one... there's a business near where I live, and I refuse to join their loyalty program because I accidentally stumbled across a SQL injection vulnerability on their site. I can't tell you who it is though, because they're a real business and I'm sure they don't want your students to hack them.
Why not write your own? Maybe start a codeplex project called LearnSecurity, which has a combination of pages - some which use bad security practices and some which don't.
Yes, as Rob suggested ... you could make a couple of pages ... on the first get the input from a field and execute it against the database :) On the second, just get some text from the db that contains javascript alert or something and render it directly on the page :) Just an idea ...
Hacme Bank is a pretty good example from Foundstone of what not to do. It's an older example, written in .NET 1.1 against SQL 2000, but covers most of the common vulnerabilities found in web applications.