Burp Suite is the main tool for Web App pentesting and it is very often used with the FoxyProxy add-on that automates setting up the proxy on and off on the browser.
The Burp Suite Community Edition is free and in its most recent versions comes with an embedded browser [Link].
Unfortunately, version 2 of the community edition does not offer the Spider function but there are other pieces of software that perform the same test: Skipfish, Grabber, Metasploit… even get can perform such functionality in some way.
Version 2 also throttle the speed of the interactions for most of the resources and it makes the performance very slow.
Alternatively to Burp Suite Community Edition there in ZAP and is already integrated into Kali Linux [Link] and is opensource.
For training purposes, there are DVWP (Damn Vulnerable Web App) [Link] which is also part of the Metasploitable VM [Link], and OWASP Juice Shop [Link].
Juice Shop application can be run for free on Heroku [Link] cloud service. It just needs one click to depoloy.