2. Grendel-Scan by David Byrne and Eric Duprey
Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. The only system requirement is Java 5; Windows, Linux and Macintosh builds are available.
3. Paros by Chinotec
4. Powerfuzzer by Marcin Kozlowski
5. SecurityQA Toolbar by iSEC Partners
The SecurityQA Toolbar is a testing product for web application security. During the QA phase of the SDLC, quality assurance groups can use the toolbar to perform security/regression testing.
6. W3AF by Andres Riancho
w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.
7. Wapiti by Nicolas Surribas
Wapiti allows you to audit the security of your web applications.
It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.
Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.
Detail about commercial vs opensource Web Application Security Scanner List at: http://webappsec.pbworks.com/Web-Application-Security-Scanner-List