regarding the Hidden field manipulation

[sushmakummari]

can waf created with modsecurity-nginx stop hidden filed manipulation and is there any rule for it can you please give insights to get clarity over the hidden field manipulation mitigation with respect to WAF?

[martinhsv]

Hello @sushmakummari ,

Regarding "... is there any rule for it ...": As mentioned previously, the ModSecurity engine is managed separately from rulesets. There may be some rule providers who provide some such functionality (but probably not -- at least not generically), but that would be be beyond the scope of the ModSecurity engine project or the nginx connector (this repo).

ModSecurity v3 with nginx does not have access to alter HTTP responses sent to clients. So, for example, adding a hash of certain field content that can be received and verified on a subsequent request is not possible.

Is there any way to perform such checks? Sure. But these would generally be custom implementations per expected form submission. For example, one could consider recording a hash in one of the collections that are retained across transactions and use that for comparison later. But, as suggested above, this would likely have to be your own composition.