Manual analysis with Burp/Zed Attack Proxy is going to be your best bet. Tools will only do so much for you, they lack contextual awareness of what the application should do vs is doing.
If you're unfamiliar with performing manual analysis, OWASP has a free, public testing guide available: owasp.org/index.php/OWASP_Testing_Guide_v4_Table_… ;This is an excellent resource to help aid you in testing the security of your site, so that when you do use tools mentioned, you have an understanding of what they're doing/trying to accomplish.