Claude-skill-registry form-security-analyzer

Static security analysis of HTML forms without sending any requests. Checks for CSRF tokens, insecure actions, missing validation, hidden field issues, and common security misconfigurations. Safe to run - no payloads sent. Use when user asks to "analyze form security", "check form for vulnerabilities", "static security check".

install

source · Clone the upstream repo

git clone https://github.com/majiayu000/claude-skill-registry

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/form-security-analyzer" ~/.claude/skills/majiayu000-claude-skill-registry-form-security-analyzer && rm -rf "$T"

manifest: skills/data/form-security-analyzer/SKILL.md

Form Security Analyzer

Static analysis of HTML forms to find security issues. No requests sent - just code inspection. Safe and fast.

Your Bounty Hunter Perspective

When analyzing a form, think:

"Where's the money hiding in this form?"
"What did the developer forget?"
"How can I abuse this?"

Quick Start

Installation

cd ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer
npm install
npm run build

Run Analysis

# Analyze a single file
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html

# JSON output
npx tsx ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/src/index.ts path/to/file.html --json

Using Built Version

node ${CLAUDE_PLUGIN_ROOT}/skills/form-security-analyzer/dist/index.js path/to/file.html

What It Checks

Critical Issues ($$$)

Check	What It Finds	Bounty Potential
Missing CSRF Token	Forms without protection	$1K - $10K
HTTP Action URL	Credentials sent insecurely	$500 - $5K
Hidden sensitive data	API keys, tokens in hidden fields	$500 - $25K

High Issues

Check	What It Finds	Bounty Potential
State-changing GET	Destructive actions via link	$1K - $5K
Predictable IDs	Sequential/guessable object refs	$2K - $50K

Medium Issues

Check	What It Finds	Bounty Potential
No email validation	Missing type="email"	$500 - $2K
Autocomplete on passwords	Credential caching enabled	$100 - $500
Inline JS handlers	XSS surface area	$500 - $2K

Low Issues

Check	What It Finds	Bounty Potential
Missing maxlength	Potential buffer/storage issues	$100 - $500

Security Checks Detail

1. CSRF Protection

<!-- BAD: No CSRF token -->
<form action="/transfer" method="POST">
  <input name="amount" />
  <button>Send</button>
</form>

<!-- GOOD: Has CSRF token -->
<form action="/transfer" method="POST">
  <input type="hidden" name="_csrf" value="abc123" />
  <input name="amount" />
  <button>Send</button>
</form>

2. Secure Action URL

<!-- BAD: HTTP (credentials exposed) -->
<form action="http://example.com/login" method="POST">

<!-- GOOD: HTTPS -->
<form action="https://example.com/login" method="POST">

3. Input Validation

<!-- BAD: No validation -->
<input name="email" />

<!-- GOOD: Proper validation -->
<input name="email" type="email" required pattern="[^@]+@[^@]+\.[^@]+" />

4. Password Security

<!-- BAD: Autocomplete allows caching -->
<input type="password" name="password" />

<!-- GOOD: Prevent caching -->
<input type="password" name="password" autocomplete="new-password" />

5. Hidden Field Analysis

<!-- BAD: Sensitive data exposed -->
<input type="hidden" name="user_id" value="12345" />
<input type="hidden" name="api_key" value="sk_live_xxx" />
<input type="hidden" name="admin" value="false" />

<!-- These are IDOR and privilege escalation opportunities! -->

6. Dangerous Patterns

<!-- BAD: Inline handlers (XSS surface) -->
<form onsubmit="return validate()">

<!-- BAD: State-changing GET -->
<form action="/delete" method="GET">

Output Format

# Form Security Analysis: login.html

## Summary
| Severity | Count |
|----------|-------|
| Critical | 2 |
| High | 3 |
| Medium | 1 |
| Low | 1 |
| **Total** | **7** |

## Critical Issues [CRITICAL]

### 1. Missing CSRF Token
**Form**: #login-form
**Type**: missing-csrf
**Bounty Estimate**: $1,000 - $10,000
**OWASP**: A01 | **CWE**: CWE-352

No hidden CSRF token field found. Vulnerable to cross-site request forgery.

---

## Hunting Tips

Based on this analysis:
1. **Test CSRF**: Submit form #login-form from a different origin
2. **Test IDOR**: Change the hidden ID to access other users' data
3. **Run dynamic tests**: Use playwright-security-runner for actual exploitation
4. **Check CVEs**: Search for vulnerabilities in any detected frameworks

Integration with Other Skills

After static analysis, use:

```
attack-methods-lookup
```
- Get attack payloads for found issues
```
cve-search
```
- Check if used libraries have known CVEs
```
playwright-security-runner
```
- Dynamic testing (with confirmation)

Limitations

This is static analysis only:

Cannot detect server-side issues
Cannot verify if CSRF tokens are actually validated
Cannot test actual exploitation

Use this as reconnaissance, then proceed to dynamic testing.

Safety

This skill is 100% safe:

Only reads HTML files
No requests sent
No payloads executed
No data modified

Run freely without concerns.