Burp Suite is one of the most famous applications for testing and scanning a web application.
This tool allows for sending and modifying HTTP requests in real-time via a pre-configured proxy. This basically means you are performing a Man-In-The-Middle attack on yourself, to keep it short.
Again, this tool can get really complex for the average noob since you need some networking knowledge, but I will try to explain the common usages of it.
This is the easiest usage, you just configure the proxy in some browser and open the webpage you wish to test.
Burp Suite automatically saves the requests and answers that you interact with, to view them just go to HTTP history.
Intruder allows for brute forcing parameters either in the request headers or the data payload. It's pretty straightforward to use.
Sometimes you need to bruteforce something by hand, changing maybe just one letter or symbol and check if response is what you need.
This tool is very useful in checking if a web application is vulnerable to input based vulnerabilities such as SSRF, LFI, XXE, etc