This guide will contain minimal details about methods used to test ModSecurity.
The first step is to ensure the cPanel vendor rules are installed and enabled for OWASP.
ModSecurity Vendors - install a cpanel provided modsecurity vendor
The Vendor OWASP has full documentation on how rules can be tested. It would be best to review this information in full if you require in-depth details about testing all rules.
Navigate to the website:
OWASP Web Security Testing Guide
Click the "released versions" tab then select a PDF guide to download. The downloaded PDF contains a lot of information about how to perform tests on the rules maintained by the OWASP vendor.
Commonly you may want to test Directory Traversal, Restricted Command, or File Access. These two tests can be performed with the below curl commands. Both of the listed tests are attempting to break out of a domain public_html also known as the document root. Accessing a path that doesn't exist at the document root or that doesn't try breaking out of the document root will result in a 404 rather than testing the defined ModSecurity rules. Keep this in mind when building your own ModSecurity tests.
( Note: Be sure to replace "domain.com" with a live testing domain on your server. This test also assumes that you have an index.php page on the website to simulate real-world testing. )
Example 1: Directory Traversal protection
curl -I http://domain.com/index.php?f=/../../../../../etc/passwd
Example 2: Restricted command protection for a restricted file
curl -I http://domain.com/index.php?f=/etc/passwd
The Apache main error_log file will also need to be reviewed to determine if the request matched a ModSecurity rule.
To search the log file for the tests in the examples you try the below commands:
grep "index.php?f=/../../../../../etc/passwd" /var/log/apache2/error_log
grep "/index.php?f=/etc/passwd" /var/log/apache2/error_log
Overall when testing rules it is important to review the rule you want to test to ensure the criteria in your test will match the defined rule.