Before performing a web application test, it is key that you first understand the basics of HTTP protocol and how it works to requests sent and to responses received.
You can go for the easier option of firing web application scanners like
Acunetix, Web Inspect , Nikto or any other web vulnerability scanner and they can do the work for you but even vulnerability scanners tend to miss some vulnerabilities.
If you dont have the basics with web application testing, I would suggest you first setup a simple lab with vulnerable web applications. Such applications include the famous Webgoat by OWASP, Foundstone Hacme series and there are also a few other good platforms you can use. Irongeek has documented a good list of vulnerable web applications here.
They are quite easy to setup and come with tutorials to guide you through every step, a great learning tool for the beginner and also the expert may see some things they overlook.
There are also some good books on Web application testing , a favourite of mine is by Wrox publishing: Pentesting for web applications. It covers well the basics to the expert stuff.
Fortunately OWASP have come up with a bundled application all in one live cd called the Lab Rat. It contains recent tools like Grendel, Maltego from the great Roelf T for information Gathering, and a lot of other cool tools. Check out the cd here
There are also several tools and plugins you can use during the web application process. My favourite tools are
Tamper Data– Firefox plugin to change on the fly data
Webscarab -Great proxy
w3af– Web application attack and auditing framework
Nikto– Web vuln scanner
Show ip– Firefox plugin to show ip address
Take time to learn and not to rush through the tutorials offered. the thing is that you understand how its done , not just to break it.
Happy web pentesting learning.