Frameworks through a product

This is a book focused on Kali Linux, but it's worthwhile to mention that there is a slew of products that attempt all-in-one web pen testing. Some of these are very well crafted and maintained, while others have been neglected in recent years but still find advocates based on a unique feature set or an interface.

Kali Linux itself has some tool suites that it can host to provide a comprehensive coverage of the testing lifecycle.  Here is a list of some of the more prevalent options:

• IronWASP (http://ironwasp.org/index.html): This free and open source package runs on Mac and Windows or WINE on Linux, and it comes with a ton of great out-of-the-box capabilities. What makes it really powerful, however, is that you can craft your own or borrow someone else's modules written in VB.NET, C#, Ruby, or Python to make the tool your own! Its website provides well-scripted detailed videos to show you what the tool can do.
• Veracode (http://www.veracode.com/products/dynamic-analysis-dast/web-application-security-testing): A new entry into the arena is the SaaS offering Veracode to perform cloud-hosted web application penetration testing.
• IBM Security AppScan (http://www-03.ibm.com/software/products/en/appscan): This all-in-one web and mobile application test suite can be turned loose on target applications to automatically report back on compliance, vulnerabilities, and suggested fixes. It is a popular on-premise option for larger enterprises and has offerings for all phases of the Software Development Life Cycle (SDLC). More recently, they have begun to offer cloud-hosted variants. IBM's solution also sets itself apart from the rest, thanks greatly to its integration with similar security and development ecosystems. They offer differentiation thanks to synergies between their System Event and Incident Manager (SEIM), QRadar, and their portfolio of web-focused IDS/IPS products and code development platforms.
• Rapid7 appspider (https://www.rapid7.com/products/appspider/): Where IBM focuses on its own ecosystem, Rapid7 has a similar suite of capabilities but focuses on integration with technology partners. Appspider is capable of many of the same things but is geared toward integration with DevOps tools and a comprehensive list of SEIM, IDS/IPS, and WAF tools. It can even automate patching, replay attacks, and can automatically generate rules; it is a top-end performer with respect to speed, coverage, and usability.
• HP WebInspect (http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/): Much like IBM's offerings, WebInspect is quite focused on a single-vendor approach for all things such as security, development, and coding, and then penetration testing and remediation. The costs and complexity of this solution make it a better option for in-house analysis rather than for outside pen testers.
• Acunetix (http://www.acunetix.com): Unlike the IBM, Rapid7, and HP WebInspect options, the Acunetix web vulnerability scanner concentrates on pen testing support and reporting, and does not delve into automating rules and patching.  This is not a bad thing; what it does, it does well;  Often, these features are unused when an external pen tester is at work.  Acunetix offers rich reporting and frequently finishes the head of the class in efficacy, coverage, and features.