Although its not an automated tool itself, WWW::Mechanize allows you to develop site testing tools quickly. HTTP::Recorder helps you generate mech scripts which you can modify to repeat queries with different parameters.
You might modify the parameters sent to be empty, include non-ASCII characters, or use the quote (') and backtick (`) characters to check for SQL and shell escaping, respectively.
If you have access to the source itself, note the errors thrown by enabling taint checking and consider how you might exploit them. Automated tools generally work against a server, but you can look through the source itself - usually a richer source of ideas.