Websites are getting more and more complex everyday and there are almost no static websites being built.
Today, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.
Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.
So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.
Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).
Netsparker Community Edition (Windows)
This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.
The application can detect SQL Injection + cross-site scripting issues.
Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.
Websecurify (Windows, Linux, Mac OS X)
Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
It can create simple reports (that can be exported into multiple formats) once ran.
The tool is also multilingual and extensible with the add-on support.
