I'm implementing mod_security on an apache server. In order to test the effectiveness of the protection, I am looking for a client that can generate a set of predefined malicious HTTP requests. I will test the requests with and without mod_security enabled and based on the logs see what percentage of malicious requests has been blocked.
Do you know any good tools to generate a set of predefined malicious HTTP requests?
There's several free/open source options out there. A close friend of mine who's a Web applications pen tester uses none of these (with exception to Nessus, but only the Professional Feed) as their toolset is quite a bit more sophisticated and contains many unpublished zero day exploits. However, they're very expensive and require certain certifications/qualifications to purchase.
While these tools may not be on the bleeding edge as far as pure, zero-day vulnerability scanning goes, there's still alot of older, well-known vulnerabilities that are exploited daily, so this will certainly give you a pretty good idea of what's potentially vulnerable on your system, exploit or not (i.e. finding unscrubbed parameters, any misconfigurations, etc.).
Nessus (the Professional Feed is > $1000/yr, but the free version still has quite a few vulnerabilities)
Couple of things that you may not be aware:
Some of the scanners have throttling features but because of the sheer volume of requests, it's better to:
a) test your Web application on a fast network (LAN);
b) obviously this Web application shouldn't be in production and if so, I'd be running it with a test data set;
c) have plenty of resources for logging (or disable it altogether).
You may also want to periodically check the online vulnerability databases for known exploits out there; I do a periodic search for any open source Web applications I'm hosting and disable or patch as required (I'm looking at you Joomla).
