Burp Suite is the premier web application security testing platform — HTTP proxy (intercept/modify requests), Scanner (automated vulnerability detection), Repeater (manual testing), Intruder (fuzzing/brute force).
Burp Proxy: configure browser to proxy through Burp (127.0.0.1:8080). Intercept requests, modify parameters, replay to test for SQLi/XSS/IDOR. Community edition is free but no Scanner. Essential tool for any web app pen tester.