HTML Form Security

Phase 6sessionWSTG-SESS

Description

Parses all <form> elements and checks for GET-method forms, password inputs without autocomplete="off", and the absence of CSRF token patterns (_token, csrf, _wpnonce, authenticity_token).

Security Impact

GET forms expose sensitive data in URLs, server logs, and Referer headers. Missing CSRF tokens allow cross-site request forgery. Password autocomplete risks credential leakage on shared devices.

Automated Detection & AI Remediation

DygDog automatically detects HTML Form Security using its continuous, passive scanning engine. When discovered, DygDog provides infrastructure-specific, copy-paste ready code snippets generated by frontier AI models to help you remediate the issue instantly without generic advice.

Start Free Scan