name: form-security-analyzer description: Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".

Form Security Analyzer

Static analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.

Your Bounty Hunter Perspective

When analyzing a form, think:

• "Where's the money hiding in this form?"
• "What did the developer forget?"
• "How can I abuse this?"

Quick Start

Installation

cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build

Run Analysis

# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html

# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json

Using Built Version

node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html

What It Checks

Critical Issues ($$$)

High Issues

Medium Issues

Low Issues

Security Checks Detail

1. CSRF Protection

<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
  <input name="amount" />
  <button>Send</button>
</form>

<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
  <input type="hidden" name="_csrf" value="abc123" />
  <input name="amount" />
  <button>Send</button>
</form>

2. Secure Action URL

<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">

<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">

3. Input Validation

<!-- BAD: No validation -->
<input name="email" />

<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />

4. Password Security

<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />

<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />

5. Hidden Field Analysis

<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />

<!-- These are IDOR and privilege escalation opportunities! -->

6. Dangerous Patterns

<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">

<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">

Output Format

# Form Security Analysis: login.html

## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |

## Critical Issues [CRITICAL]

### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352

No hidden CSRF token field found. Vulnerable to cross-site request forgery.

---

## Hunting Tips

Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks

Integration with Other Skills

After static analysis, use:

• attack-methods-lookup - Get attack payloads for found issues
• cve-search - Check if used libraries have known CVEs
• playwright-security-runner - Dynamic testing (with confirmation)

Limitations

This is static analysis only:

• Cannot detect server-side issues
• Cannot verify if CSRF tokens are actually validated
• Cannot test actual exploitation

Use this as reconnaissance, then proceed to dynamic testing.

Safety

This skill is 100% safe:

• Only reads HTML files
• No requests sent
• No payloads executed
• No data modified

Run freely without concerns.