Following is a risk and tool matrix.
|A1: Injection||SQL Inject Me|
|A2: Cross-Site Scripting (XSS)||ZAP|
|A3: Broken Authentication and Session Management||HackBar|
|A4: Insecure Direct Object References||Burp|
|A5: Cross-Site Request Forgery (CSRF)||Tamper Data|
|A6: Security Misconfiguration||Watobo|
|A7: Insecure Cryptographic Storage||N/A|
|A8: Failure to Restrict URL Access||Nikto/Wikto|
|A9: Insufficient Transport Layer Protection||Calomel|
|A10: Unvalidated Redirects and Forwards||Watcher|
The article is a good reference point for someone looking forward for web application testing on the lines of OWASP
Full article can be found here:
There’s another interesting article by Rakkhi Samarasekera which deals with mitigating OWASP top 10 without touching any code.
This might be useful for many legacy apps