Looking for a Web Application Vulnerable to XSS Cookie Grab

[CFW <cfw_security () comcast net>]

Hi all,

   I am setting up a lab to learn about web application security and I 
have been messing with WebGoat and Foundstone's HacmeBank and found them 
to be very useful learning tools.  One thing lacking in them (from what 
I can tell) is a multiuser, XSS Cookie Grabbing example. 

   Basically, I would like to have a little application (or part of one 
of these applications) that one (malicious) user can log in to and post 
a XSS cookie grabber to a forum or guestbook or something.  Then, the 
attacker fires up a listener until another user logs in and hits the 
script, sending the cookies to the listener.  Then, the first user can 
change his cookies, and see clearly that the web application thinks it 
is the second user.  Does anyone know of such an application?

   The Foundstone Hacme Bank is almost there in that it has a "Post 
Message" section that is vulnerable to XSS, but it is set up so that 
each user sees only their own messages, so it is not possible to post a 
malicious script to someone else.  If the Foundstone people are reading 
this, have you considered changing this behavior?

   While I am asking, are there any other web applications like these 
that I should set up?  I looked at WebMaven, but it looks like that has 
been overtaken by Hacme and Webgoat (correct me if I am wrong).  Someone 
mentioned a while back on pen-test that you could use an old version of 
PHP-Nuke as a vulnerable site since it has a lot of known issues.  Has 
anyone done this and have any hints on what version is the most useful 
in this respect (most vulnerable I guess)?

   Thanks a bunch and have a good weekend.

Chuck