The OWASP released a vulnerable Rails application, the RailsGoat. It’s designed to educate developers.
The wiki lists the vulnerabilities. Note that the Rails 3 tutorials are more complete.
Example installation (but I couldn’t sign in): https://insecurerails.herokuapp.com/