Grabber is a web application scanner which can detect many security vulnerabilities in web applications. It performs scans and tells where the vulnerability exists. It can detect the following vulnerabilities:

• Cross-site scripting
• SQL injection
• Ajax testing
• File inclusion
• JS source code analyzer
• Backup file check

Download it http://rgaucher.info/beta/grabber/.
Source code on

Vega is another free open-source web vulnerability scanner and testing platform. With this tool, you can perform security testing of a web application. This tool is written in Java and offers a GUI-based environment. It is available for OS X, Linux and Windows. It can be used to find SQL injection, header injection, directory listing, shell injection, cross-site scripting, file inclusion and other web application vulnerabilities. This tool can also be extended using a powerful API written in JavaScript.
Documentation is https://subgraph.com/vega/documentation/index.en.html.
Download Vega https://subgraph.com/vega/.
Zed Attack Proxy is also known as ZAP. This tool is open-source and is developed by OWASP. It is available for Windows, Unix/Linux and Macintosh platforms.
These are the key functionalities of ZAP:

• Intercepting proxy
• Automatic scanner
• Traditional but powerful spiders
• Fuzzer
• Web socket support
• Plug-n-hack support
• Authentication support
• REST-based API
• Dynamic SSL certificates
• Smartcard and client digital certificates support

Download ZAP

Wapiti is a web vulnerability scanner which lets you audit the security of your web applications. It performs black-box testing by scanning web pages and injecting data. It tries to inject payloads and see if a script is vulnerable. It supports both GET and POSTHTTP attacks and detects multiple vulnerabilities.
It can detect the following vulnerabilities:

• File disclosure
• File inclusion
• Cross-site scripting (XSS)
• Command execution detection
• CRLF injection
• SEL injection and XPath injection
• Weak .htaccess configuration
• Backup file disclosure
• Many others

Download Wapiti with source code http://wapiti.sourceforge.net/.
W3af is a popular web application attack and audit framework. This framework aims to provide a better web application penetration testing platform. It was developed using Python. By using this tool, you will be able to identify more than 200 kinds of web application vulnerabilities including SQL injection, cross-site scripting and many others.
You can access source code at the GitHub repository
Download it from the official website http://w3af.org/.
WebScarab is a Java-based security framework for analyzing web applications using HTTP or HTTPS protocol. With available plugins, you can extend the functionality of the tool.
The source code of the tool is available on GitHub
Download WebScarab https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project.
Skipfish is another nice web application security tool. It crawls the website and then checks each page for various security threats. At the end, it prepares the final report.
Download Skipfish or code from Google Codes https://code.google.com/p/skipfish/.
Ratproxy is an open-source web application security audit tool which can be used to find security vulnerabilities in web applications. It supports Linux, FreeBSD, MacOS X and Windows (Cygwin) environments.
You can read more about this tool https://code.google.com/p/ratproxy/wiki/RatproxyDoc.
Download it https://code.google.com/p/ratproxy/.
SQLMap is another popular open-source penetration testing tool. It automates the process of finding and exploiting SQL injection vulnerabilities in a website’s database. It has a powerful detection engine and many useful features. This way, a penetration tester can easily perform an SQL injection check on a website.
Access the source code on GitHub
Download SQLMap

Wfuzz is another freely available open-source tool for web application penetration testing. It can be used to brute-force GET and POST parameters for testing against various kinds of injections like SQL, XSS, LDAP and many others. It also supports cookie fuzzing, multi-threading, SOCK, proxy, authentication, parameter brute-forcing, multiple proxy and many other things.
You can read more about the features of the tool https://code.google.com/p/wfuzz/.
Download Wfuzz from code.google.com https://code.google.com/p/wfuzz/.
Grendel-Scan is another nice open-source web application security tool. This is an automatic tool for finding security vulnerabilities in web applications. Many features are also available for manual penetration testing. This tool is available for Windows, Linux and Macintosh and was developed in Java.
Download the tool and source code http://sourceforge.net/projects/grendel/. http://websecuritytool.codeplex.com/ Watcher is a passive web security scanner. It does not attack with loads of requests or crawl the target website. It is not a separate tool but an add-on of Fiddler, so you need to install Fiddler first and then install Watcher to use it.
Download Watcher and its source code http://websecuritytool.codeplex.com/. http://www.arachni-scanner.com/ Arachni is an open-source tool developed for providing a penetration testing environment. This tool can detect various web application security vulnerabilities. It can detect various vulnerabilities like SQL injection, XSS, local file inclusion, remote file inclusion, unvalidated redirect and many others.
Download this tool http://www.arachni-scanner.com/.