Very nice list though it only aims at software exploitation (aka service exploitation) which can contain many bugs of course, but web applications nowadays are also entry points into the target system.
Knowing PHP and or ASP is a good idea in my opinion but besides that, there's my tool list for Web App Sec:
- FireFox with Firebug, Live HTTP Headers, Tamper Data and Add 'N' Edit Cookies.
- Burp Suite (free) - For more advanced stuff
- Nikto - A very nice active web application scanner which is good if you don't have any obvious entry points.
- Maltego - Information gathering, it's a must to have installed.
- Whois, Netcraft and Google - Useful services to find information about the target.
- W3AF - Open source web application scanner
- Acunetix - Commercial but quite efficient web app scanner.
- Pangolin - SQL Injection "Assistant". I am not sure if you can fully trust this program but it is very nice.
- SQLmap - Nice open source SQL Injection Assistant tool. (It it quite good, but knowledge about SQLi is a must.)
- Metasploit - It has some nice Web App Sec modules and scanners but I hardly ever use them.
Whenever it is possible to execute PHP code on the target system I tend to use this:
HaXxd00r - http://intern0t.net/haxxd00r/
(it's a backdoor creator, it's used when I need to create and encode a backdoor in php fast.)
XSSOR - http://intern0t.net/xssor/
(mostly used for XSS encoding, but I use it to encode backdoors too.)
And of course custom Python and PHP scripts written on-the-fly. (Mostly simple yet helpful stuff.)
I hope someone will benefit from this list even though it looks incomplete but Web App Sec, doesn't really require that many tools because most of the tools available, are just made to speed up the process or aid during a pentest.
Keep in mind that some hosts filters vulnerability scanners and denies them access by looking at the user-agent so if you modify that then this limitation shouldn't affect you. Furthermore, vulnerability scanners produces a lot of traffic including logs, keep that in mind if you need to be stealthy, stay away from these scanners.
If it's only a matter of traffic, simply use these scanners while there's a lot of traffic towards the target site. However sometimes, "attacking" while there really isn't any traffic can be a good idea too.