Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".
This skill inherits all available tools. When active, it can use any tool Claude has access to.
dist/index.d.tsdist/index.jspackage.jsonsrc/analyzer.tssrc/cli.tssrc/index.tssrc/reporter.tssrc/types.tstsconfig.jsonStatic analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.
When analyzing a form, think:
cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build
# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html
# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json
node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing CSRF Token | Forms without protection | $1K - $10K |
| HTTP Action URL | Credentials sent insecurely | $500 - $5K |
| Hidden sensitive data | API keys, tokens in hidden fields | $500 - $25K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| State-changing GET | Destructive actions via link | $1K - $5K |
| Predictable IDs | Sequential/guessable object refs | $2K - $50K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| No email validation | Missing type="email" | $500 - $2K |
| Autocomplete on passwords | Credential caching enabled | $100 - $500 |
| Inline JS handlers | XSS surface area | $500 - $2K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing maxlength | Potential buffer/storage issues | $100 - $500 |
<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
<input name="amount" />
<button>Send</button>
</form>
<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
<input type="hidden" name="_csrf" value="abc123" />
<input name="amount" />
<button>Send</button>
</form>
<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">
<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">
<!-- BAD: No validation -->
<input name="email" />
<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />
<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />
<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />
<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />
<!-- These are IDOR and privilege escalation opportunities! -->
<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">
<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">
# Form Security Analysis: login.html
## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |
## Critical Issues [CRITICAL]
### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352
No hidden CSRF token field found. Vulnerable to cross-site request forgery.
---
## Hunting Tips
Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks
After static analysis, use:
attack-methods-lookup - Get attack payloads for found issuescve-search - Check if used libraries have known CVEsplaywright-security-runner - Dynamic testing (with confirmation)This is static analysis only:
Use this as reconnaissance, then proceed to dynamic testing.
This skill is 100% safe:
Run freely without concerns.