Some of the popular open source Web proxies are WebScarab, Paros Proxy, and Burp Proxy. These are essentially man-in-the-middle proxies that sit between the Web browser and the Web server and allow the assessor to observe and manipulate the Web traffic.
There aren't many open-source automated scanners for Web applications -- that is, things that you just point at a URL and say "scan it." One is Nikto, but it tests mostly for misconfigured Web servers and doesn't really touch the Web application logic itself.
-- Chris Eng, director of security services at Veracode, contributed to this response.
This was first published in December 2007