Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".
/plugin marketplace add naporin0624/claude-web-audit-plugins/plugin install web-audit-tools@web-audit-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
dist/index.d.tsdist/index.jspackage.jsonsrc/analyzer.tssrc/cli.tssrc/index.tssrc/reporter.tssrc/types.tstsconfig.jsonStatic analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.
When analyzing a form, think:
cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build
# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html
# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json
node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing CSRF Token | Forms without protection | $1K - $10K |
| HTTP Action URL | Credentials sent insecurely | $500 - $5K |
| Hidden sensitive data | API keys, tokens in hidden fields | $500 - $25K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| State-changing GET | Destructive actions via link | $1K - $5K |
| Predictable IDs | Sequential/guessable object refs | $2K - $50K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| No email validation | Missing type="email" | $500 - $2K |
| Autocomplete on passwords | Credential caching enabled | $100 - $500 |
| Inline JS handlers | XSS surface area | $500 - $2K |
| Check | What It Finds | Bounty Potential |
|---|---|---|
| Missing maxlength | Potential buffer/storage issues | $100 - $500 |
<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
<input name="amount" />
<button>Send</button>
</form>
<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
<input type="hidden" name="_csrf" value="abc123" />
<input name="amount" />
<button>Send</button>
</form>
<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">
<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">
<!-- BAD: No validation -->
<input name="email" />
<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />
<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />
<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />
<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />
<!-- These are IDOR and privilege escalation opportunities! -->
<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">
<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">
# Form Security Analysis: login.html
## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |
## Critical Issues [CRITICAL]
### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352
No hidden CSRF token field found. Vulnerable to cross-site request forgery.
---
## Hunting Tips
Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks
After static analysis, use:
attack-methods-lookup - Get attack payloads for found issuescve-search - Check if used libraries have known CVEsplaywright-security-runner - Dynamic testing (with confirmation)This is static analysis only:
Use this as reconnaissance, then proceed to dynamic testing.
This skill is 100% safe:
Run freely without concerns.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.