Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. https://www.pixelqa.com/blog/post/how-to-perform-pen-testing-with-owasp-zap