The best way to really understand application security is to learn about the issue and then perform the attacks yourself. You could go through the trouble of building your own vulnerable testing application or you could use one that has already been built specifically for that purpose. Here are a few to check out:
OWASP's Webgoat
Language: Java
Lesson format with hints and detailed solutions
Google's Jarlesburg
Language: Python
Lessons? Don't know, haven't tried it. Feedback please!
OWASP's Broken Web Application Project
A vmware image of multiple vulnerable web apps designed for testing and learning. The VM image is complete with necessary tools for immediate attacking fun
The only tool you will need is a web proxy and a browser:
Burp, WebScarab, or Fiddler
-Michael Coates