are you looking for a basic test to verify that the rules are detecting attacks? You could try some proof of concept exploit like appending one of these two examples to your URL.
/?cmd=cat%20/etc/passwd
or
/<script>alert("XSS Attack");</script>
That'll do no harm, but an active WAF should block these requests (or, if not in blocking mode, raise an alert).
