Some attacks on web applications can be performed using only a standard web browser; however, the majority of them require you to use some additional tools. Many of these tools operate in conjunction with the browser, either as extensions that modify the browser's own functionality, or as external tools that run alongside the browser and modify its interaction with the target application.

The most important item in your toolkit falls into this latter category, and operates as an intercepting web proxy, enabling you to view and modify all of the HTTP messages passing between your browser and the target application. In recent years, basic intercepting proxies have evolved into powerful integrated tool suites containing numerous other functions designed to help you attack web applications. We will examine the three most popular integrated suites and describe how you can best make use of their functionality.

The second main category of tool is the web application scanner. This is a product designed to automate many of the tasks involved in attacking a web application, from initial mapping through to probing for vulnerabilities. We will examine the inherent strengths and weaknesses of web application scanners, and briefly look at the two current market leaders in this area.