For free, I would go with OWASP Zed Attack Proxy (ZAP). For relatively cheap, I would go with Burp Suite Pro. Some other free tools that may help you are CMS-specific scanners like WPScan which are featured in Kali, but that is dependent on whether or not your target is sitting on something like Wordpress/Drupal/etc.
Wordpress and Drupal are popular open-sourced content management systems that web developers use as frameworks to expedite time to build wesites. They also come with a number of their own vulnerabilities, like default configurations and old, vulnerable plugins. There are some free scanners in Kali Linux that quickly check for issues that are often seen with these types of sites, like WPScan.