Copied from: Daniel Kelley, on LinkedIn
Former Black Hat Hacker. Contributed to over 100 bug bounty programs. Writes about cybersecurity and privacy.

NOTE: If you decide to use any of these tools, it is at your own risk; I do not accept any responsibility for anybody else’s actions.

Introducing 24 web-application hacking tools:

  1. Burp Suite – Framework.
  2. ZAP Proxy – Framework.
  3. Dirsearch – HTTP bruteforcing.
  4. Nmap – Port scanning.
  5. Sublist3r – Subdomain discovery.
  6. Amass – Subdomain discovery.
  7. SQLmap – SQLi exploitation.
  8. Metasploit – Framework.
  9. WPscan – WordPress exploitation.
  10. Nikto – Webserver scanning.
  11. HTTPX – HTTP probing.
  12. Nuclei – YAML based template scanning.
  13. FFUF – HTTP probing.
  14. Subfinder – Subdomain discovery.
  15. Masscan – Mass IP and port scanner.
  16. Lazy Recon – Subdomain discovery.
  17. XSS Hunter – Blind XSS discovery.
  18. Aquatone – HTTP based recon.
  19. LinkFinder – Endpoint discovery through JS files.
  20. JS-Scan – Endpoint discovery through JS files.
  21. GAU – Historical attack surface mapping.
  22. Parameth – Bruteforce GET and POST parameters.
  23. truffleHog – Find credentials in GitHub commits.