Scan Captcha-protected pages

This document outlines recommended practices for running security scans against web applications that use CAPTCHA or other interactive anti-bot mechanisms. CAPTCHAs are designed to block automated traffic — and since scanners are automated, they will often be stopped.

There is no universal, permanent way to bypass CAPTCHA. Technology evolves quickly, and a method that works today might fail tomorrow. Instead, we focus on practical, sustainable steps that give you the best chance of full scan coverage while staying compliant with site policies.

Recommended approaches

1. Trustlist scanner IP addresses

• Provide your scanner’s IP ranges or application identifiers to the site owner or security/network team so they can trustlist them for the scan period or permanently for scheduled scans.
• This is the most straightforward and reliable option, enabling the scanner to access all relevant areas without triggering CAPTCHA.

2. Use a bypass mechanism (e.g., header key for Invicti scans)

• Invicti scanner supports bypass methods, such as sending a custom header or key that the application recognizes and exempts from CAPTCHA or other anti-bot checks.
• This allows automated scans to proceed without modifying global CAPTCHA settings or relying solely on IP trustlisting.

3. Use manual intervention (where available)

• In this mode, the scanner pauses when it reaches an interactive step such as CAPTCHA or MFA. An operator solves the challenge, and the scan continues.
• This method is useful when trustlisting isn’t possible, though it may slow scanning and requires a person to be available during the scan.

Whenever possible, run scans in a staging or QA environment with CAPTCHA disabled. If that’s not feasible, use one or both of the above approaches to minimize disruption from CAPTCHA challenges.