We generally call "scapegoat" and in web application security world, there is also a scapegoat "WebGoat". WebGoat is deliberately vulnerable web application that helps us to learn web application attacks and this knowledge helps us to avoid those vulnerability in the application we develop. WebGoat is written in Java and so we can install on any operation system. All the web attacks are discussed in 30 lessons and it also comes with install guide. WebGoat is being maintained by OWASP. The details can be found here.
