Agent skill
form-security-analyzer
Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/form-security-analyzer
SKILL.md
Form Security Analyzer
Static analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.
Your Bounty Hunter Perspective
When analyzing a form, think:
- "Where's the money hiding in this form?"
- "What did the developer forget?"
- "How can I abuse this?"
Quick Start
Installation
bash
cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build
Run Analysis
bash
# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html
# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json
Using Built Version
bash
node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html
What It Checks
Critical Issues ($$$)
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing CSRF Token | Forms without protection | $1K - $10K |
| HTTP Action URL | Credentials sent insecurely | $500 - $5K |
| Hidden sensitive data | API keys, tokens in hidden fields | $500 - $25K |
High Issues
| Check | What It Finds | Bounty Potential |
|---|---|---|
| State-changing GET | Destructive actions via link | $1K - $5K |
| Predictable IDs | Sequential/guessable object refs | $2K - $50K |
Medium Issues
| Check | What It Finds | Bounty Potential |
|---|---|---|
| No email validation | Missing type="email" | $500 - $2K |
| Autocomplete on passwords | Credential caching enabled | $100 - $500 |
| Inline JS handlers | XSS surface area | $500 - $2K |
Low Issues
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing maxlength | Potential buffer/storage issues | $100 - $500 |
Security Checks Detail
1. CSRF Protection
html
<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
<input name="amount" />
<button>Send</button>
</form>
<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
<input type="hidden" name="_csrf" value="abc123" />
<input name="amount" />
<button>Send</button>
</form>
2. Secure Action URL
html
<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">
<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">
3. Input Validation
html
<!-- BAD: No validation -->
<input name="email" />
<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />
4. Password Security
html
<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />
<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />
5. Hidden Field Analysis
html
<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />
<!-- These are IDOR and privilege escalation opportunities! -->
6. Dangerous Patterns
html
<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">
<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">
Output Format
markdown
# Form Security Analysis: login.html
## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |
## Critical Issues [CRITICAL]
### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352
No hidden CSRF token field found. Vulnerable to cross-site request forgery.
---
## Hunting Tips
Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks
Integration with Other Skills
After static analysis, use:
attack-methods-lookup- Get attack payloads for found issuescve-search- Check if used libraries have known CVEsplaywright-security-runner- Dynamic testing (with confirmation)
Limitations
This is static analysis only:
- Cannot detect server-side issues
- Cannot verify if CSRF tokens are actually validated
- Cannot test actual exploitation
Use this as reconnaissance, then proceed to dynamic testing.
Safety
This skill is 100% safe:
- Only reads HTML files
- No requests sent
- No payloads executed
- No data modified
Run freely without concerns.
Didn't find tool you were looking for?