Claude Code Plugins

Community-maintained marketplace

Feedback

form-security-analyzer

@naporin0624/claude-web-audit-plugins
0
0

Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name form-security-analyzer
description Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".

Form Security Analyzer

Static analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.

Your Bounty Hunter Perspective

When analyzing a form, think:

  • "Where's the money hiding in this form?"
  • "What did the developer forget?"
  • "How can I abuse this?"

Quick Start

Installation

cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build

Run Analysis

# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html

# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json

Using Built Version

node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html

What It Checks

Critical Issues ($$$)

Check What It Finds Bounty Potential
Missing CSRF Token Forms without protection $1K - $10K
HTTP Action URL Credentials sent insecurely $500 - $5K
Hidden sensitive data API keys, tokens in hidden fields $500 - $25K

High Issues

Check What It Finds Bounty Potential
State-changing GET Destructive actions via link $1K - $5K
Predictable IDs Sequential/guessable object refs $2K - $50K

Medium Issues

Check What It Finds Bounty Potential
No email validation Missing type="email" $500 - $2K
Autocomplete on passwords Credential caching enabled $100 - $500
Inline JS handlers XSS surface area $500 - $2K

Low Issues

Check What It Finds Bounty Potential
Missing maxlength Potential buffer/storage issues $100 - $500

Security Checks Detail

1. CSRF Protection

<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
  <input name="amount" />
  <button>Send</button>
</form>

<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
  <input type="hidden" name="_csrf" value="abc123" />
  <input name="amount" />
  <button>Send</button>
</form>

2. Secure Action URL

<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">

<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">

3. Input Validation

<!-- BAD: No validation -->
<input name="email" />

<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />

4. Password Security

<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />

<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />

5. Hidden Field Analysis

<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />

<!-- These are IDOR and privilege escalation opportunities! -->

6. Dangerous Patterns

<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">

<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">

Output Format

# Form Security Analysis: login.html

## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |

## Critical Issues [CRITICAL]

### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352

No hidden CSRF token field found. Vulnerable to cross-site request forgery.

---

## Hunting Tips

Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks

Integration with Other Skills

After static analysis, use:

  • attack-methods-lookup - Get attack payloads for found issues
  • cve-search - Check if used libraries have known CVEs
  • playwright-security-runner - Dynamic testing (with confirmation)

Limitations

This is static analysis only:

  • Cannot detect server-side issues
  • Cannot verify if CSRF tokens are actually validated
  • Cannot test actual exploitation

Use this as reconnaissance, then proceed to dynamic testing.

Safety

This skill is 100% safe:

  • Only reads HTML files
  • No requests sent
  • No payloads executed
  • No data modified

Run freely without concerns.