You dont always need any specialist tools to pen test web applications, but they do help.
Unfortunately many pen test tools either cost money, are aimed at experts or are poorly documented.
If you are going to be a professional pen tester then you will be able to justify the expense of buying and/or taking the time required to learn how to use an 'experts tool' like the Burp Suite or Web Scarab.
As a web application developer who wants to learn about pen testing you need a free, easy to use and well documented tool.
Ideally it should also be open source, as no doubt some of you will want to see whats going on under the hood, and maybe even make your own enhancements.
There are few if any tools that currently fit this profile.
So I've released the Zed Attack Proxy (ZAP).
This is a fork of the well regarded Paros Proxy , which unfortunately has not been updated for a while.
The full set of changes are documented here but essentially they are mostly usability changes and the addition of help pages.
In this blog I'm going to explain different aspects of pen testing from a developers point of view using ZAP.
I'll also be further developing ZAP with new features .
And if you want to get involved with the development of ZAP then you will be more than welcome.