waf-tester runs tests against a URL protected by a Web Application Firewall (WAF). The tests are HTTP requests defined in YAML format based on FTW format. Use '-template' to see how they look like.
The tests are evaluated by comparing the HTTP response status or WAF logs against the expected values defined in tests. If both 'status' and 'log_contains' are defined in a test only status is evaluated. If '-logs' is not used tests containing only 'log_contains' are skipped.
Download the latest release for your operating system and architecture or make install.
Run some WAF tests against localhost:
# Generate tests and run them against localhost.
waf-tester -template > tests.yaml
waf-tester -verbose
# Run tests from waf_tests folder and evaluate also logs (NOTE: -logs is kind of experimental).
waf-tester -tests waf_tests/ -logs /tmp/var/log/modsec_audit.log
Consider using waf-runner to run a WAF on localhost.
vim main.go
make build # see dist folder
make install # install into ~/go/bin
Check test coverage:
go test -coverprofile cover.out ./...
go tool cover -html=cover.out
If the code is slow profile it.