Forms Represent Critical Functionality
Web forms encapsulate some of the key functionalities available in modern web applications, particularly in enterprise environments. From simple login screens to complex workflows like tax submissions or passport applications, forms often serve as gateways to core application features. For example, in Facebook, users cannot access the full range of News Feed interactions until they post something using a form.
From a security testing perspective, this makes forms highly significant. They often represent rich attack surfaces, and therefore, demand deeper analysis from DAST (Dynamic Application Security Testing) scanners. Unfortunately, forms are also one of the most difficult components for automated scanners to handle, especially when trying to reach deeper, authenticated, or dynamic application states.
Why Form Handling Is So Hard
Most DAST scanners rely on a crawler or spider to explore an application. These crawlers must automatically discover and interact with the web application's components, including forms. But while simple links can be followed with basic automation, handling forms is a nontrivial task that requires generation of inputs that are valid, context-aware, and semantically meaningful.
Most crawlers either:
- Require manual input specification, or
- Use random or heuristic-based input generation, which fails on complex or domain-specific forms.
Even humans, when unfamiliar with a form (like a passport application), can struggle to provide the correct inputs. Crawlers, without context or training, perform even worse.
A Simple Expense Form – Many Hidden Challenges
Take a basic expense reimbursement form shown above. A human employee familiar with the domain could fill it out quickly. But for a crawler, even this relatively straightforward form presents serious obstacles:
- Input Type Inference:
HTML input types (
text,number,date,file) offer limited guidance. A crawler must infer that:"Amount"must be a positive decimal."Receipt"must be a valid file (e.g.,.pdfor.jpg)."Date of Expense"should be a realistic past date, not a future one.
- Semantic Understanding:
Matching labels like
"Manager"or"Department"to appropriate values requires contextual understanding. This might also include guessing business rules not evident from the form markup. - Field Dependencies:
Fields often interact. If
"Expense Category"is"Travel", the"Currency"might default to USD. But if it's"Office Supplies", it may depend on employee location. - Hidden Actions and Contextual Clues: Some forms rely on dynamic behavior, where visibility and semantics of form elements might change upon user interactions via JavaScript. The contextual clues might be available only on hover or click (like help icons). Even when correct inputs are generated, actions like drag-and-drop, autocomplete, or dynamic field population (e.g., provinces loading after selecting a country) can be tricky to automate.
These challenges make it clear: simple heuristics or hardcoded rules are not enough. A more intelligent solution is needed.
LLMs to the Rescue
At NightVision, we’ve recognized that effective form handling is crucial to the success of a DAST scanner. That’s why we’ve introduced LLM-assisted crawling to augment our scanning capabilities.
Starting on September 17, 2025, our scanner is equipped with a Large Language Model (LLM)-augmented spider designed to navigate and interact with complex web applications more intelligently. This enhanced crawler introduces a multi-step process for robust form handling:
- Form Extraction: It identifies and extracts form elements from web pages during crawling.
- Contextual Augmentation: Each form is enriched with structural and visual context such as XPath, content rectangles, and layout metadata in order to provide deeper insight into the relationships between form fields and labels.
- LLM-Based Semantics Resolution: The crawler invokes a specialized LLM FormHandler, which interprets the augmented form and generates precisely crafted LLM prompts to disambiguate input semantics and constraints.
- Domain-Aware Input Generation: Our experiments show that these prompts help the LLM produce realistic, context-aware, and domain-appropriate inputs that meet the form’s validation rules and business logic.
- Feedback-Driven Retry Logic: If a submission attempt fails (due to validation or logical constraints), the system incorporates feedback from the response to regenerate improved inputs enhancing its robustness when handling complex forms.
This allows the scanner to reach deeper application states, interact with authenticated workflows, and expose hidden vulnerabilities that traditional crawlers would miss.
✅ Conclusion
Modern web applications demand smarter scanning. Forms are no longer static, simple inputs—they are dynamic, semantically rich, and context-sensitive. Traditional crawlers fall short in these environments, limiting the reach of security scanners.
By integrating LLMs into the form-handling pipeline, we’ve enabled our DAST scanner to intelligently reason about inputs, navigate complex workflows, and uncover vulnerabilities hidden behind sophisticated forms. This innovation helps bridge the gap between automation and human-like understanding, unlocking deeper coverage, better accuracy, and stronger security outcomes for modern web applications.