My favorite 10 web application fuzzing tools in fuzzy order

1. SPIKE Proxy 
It is a professional-grade tool for looking for application-level vulnerabilities in web applications. SPIKE Proxy covers the basics, such as SQL Injection and cross-site-scripting, but it’s completely open Python infrastructure allows advanced users to customize it for web applications that other tools fall apart on. SPIKE Proxy is available for Linux and Windows.

2. WebScarab 
WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins.
Parameter fuzzer plugin performs automated substitution of parameter values that are likely to expose incomplete parameter validation, leading to vulnerabilities like Cross Site Scripting (XSS) and SQL Injection.

3. Burp Intruder 
Burp intruder is a highly configurable java web application security tool and can be used to automate a wide range of attacks against applications, including testing for common web application  vulnerabilities such as SQL injection, cross-site scripting, buffer overflows and directory traversal; brute force attacks against authentication schemes; enumeration; parameter manipulation; trawling for hidden content and functionality; session token sequencing and session hijacking; data mining; concurrency attacks; and application-layer denial-of-service attacks.

4. Wapiti 
Wapiti allows you to audit the security of your web applications.It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data. Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

5. RFuzz The Web Destroyer
RFuzz is a Ruby library to easily test web applications from the outside using a fast HttpClient and wicked evil RandomGenerator allowing the average programmer to use advanced fuzzing techniques for just pennies a day.

6. OWASP WSFuzzer
WSFuzzer is a GPL’d program, written in Python, that currently targets Web Services. In the current version HTTP based SOAP services are the main target. This tool was created based on, and to automate, some real-world manual SOAP pen testing work.

7. SPI Fuzzer (member of SPI Dynamics WebInspect suite) 
It identifies buffer overflows using HTTP fuzzing or modification of input variables.Trial version available for download.

8. Suru Web Proxy 
Suru gives the analyst the ability to fuzz ANY part of the HTTP request. This obviously includes GET and POST parameters, but can also be extended to Host: fields, Content-length: etc. The analyst can choose to fuzz any point of the HTTP request header or body. These "Fuzz control points" can be fuzzed with any value – and Suru includes some sample fuzz strings by default.

9. AppScan
AppScan scans and tests for all common web application vulnerabilities – including those identified in the WASC threat classification – such as SQL-Injection, Cross-Site Scripting and Buffer Overflow.

10. ASP Auditor 
The purpose of this tool is to look for common misconfiguration and information leaks in ASP.NET applications.

What are your favorite Web App testing tools ?