I just had an application security awarness training, and it was quite enlightening.
Of course Owasp was mentioned, with the top ten list of vulnerabilities, along with the webGoat webapp.
but also tools like
fiddler: free win32 http proxy with scripting facilities, no ssl support and based on .net
charles: shareware http proxy in java with ssl suport
WebSleuth: an ie plugin to edit forms, suddenly hacking got so much simplier
Of course there are firefox plugins to achieve the same set of functionnalities.