The Web Application Hackers Handbook:http://www.amazon.com/Web-Application-H ... 0470170778
I heard it was good, but I haven't read it yet.
Open Source Tools can e.g. be found in The Penetration Testers Open Source Toolkit vol. 2 which may seem a bit "outdated" to some since an older version of the rapidly evolving BackTrack linux distrobution is mentioned, however most of these tools are essentially the same even though there may be new features and bug fixes in later versions.
Some of the tools I use are:
FireFox with these addons: Firebug, Tamper Data, Live HTTP Headers and Add 'N' Edit Cookies.
(There's a list here too, but it is not up2date: http://firecat.intern0t.net/
I should note that I only use a few select tools, because I really don't need to use
a lot of tools. If I need something beyond the tools I have, I just write it in Python or PHP etc.
Now when you have FireFox with at least most of these bare minimum addons (Add 'N' Edit Cookies hasn't been available for later versions of FireFox for a longer time.), then you can proceed onto learning and of course installing:
- Nikto (written in perl, so you also need to install perl.)
- A transparent proxy (Burp Suite, WebScarab, Paros Proxy, etc. Most of these are written in Java.)
- W3AF (Not that easy to use and install, but it works quite good for some types of pentests but mostly I don't use it.)
- And a bunch of online tools like http://intern0t.net/xssor
(encode strings in a fast way.)
However with these tools, you should have a good start.
You could also install: SQLmap since you're aiming at finding SQL Injection vulnerabilities, but keep in mind that most of these tools are indeed very nice, but they are unfortunately not that easy to use for especially beginners and all of the tools except the manual method can return false positives too. Even false negatives.
Of course, I suggest you check out BackTrack if you're just wanting a lot of tools but as mentioned previously, you need to understand how these tools work and also how to hack manually. Being able to audit (review) code is not a requirement but it adds a big plus in case you need to find more "obscure" vulnerabilities.