CAPTCHA in website

my frist page is a login name password & a CAPTCHA .

How can I do a scan on this ?

Any doc or step I can follow ?



  • You have a few options:

    1) Record Web Form Values and mark the CAPTCHA input as 'interactive' and use that WebFormValuesFile for your scan, that way you'll be prompted for the value when it's necessary. Means you need to "baby-sit" the scan.

    2) Check the 'Prompt for web form values during scan (interactive mode)' checkbox and NOT use a WebFormValuesFile for your scan, that was you'll be prompted to input a value (or skip the form) for any forms encountered during the scan. When scanning in Interactive Mode, if you get a blank screen in the Web Form Value Input Dialog, press the skip button.

    4) Have developers turn off/bypass CAPTCHA functionality for the IP you are scanning from. Pretty crude way to deal with it, but this is often done for performance testing. Of course, you won't be testing the CAPTCHA functionality in terms of security by doing this.


    In terms of reading material, you could Read The Manual, read official training course material, and search this forum for 'CAPTCHA'.

  • I tried with options mentioned, made field interactive, and read from a file.  But script never stopped or did not ask the captcha to enter interactively, any other setting needs to be updated ?


    I have trial license

  • For captcha I don't have file,  I made field has interactive, and selected that field as interactive.  application UI never showed up.   My settings seems to be correct as described or suggested in community response.

  • In order to set up the Interactive Mode for a WebInspect scan, you must record or enter the input field's name and a dummy value into a web forms input file.  That field must also be marked as "Interactive".  Once generated, that file must be specified in the Scan Settings Method panel, under the Navigation block.  And you must then also enable the two bullet/checkboxes below to enable the Interactive Mode.  This is detailed in the User Guide at this page,

    Overall, you will end up with a "mostly automated" scan you need to "babysit".  If and when that tagged input field is encountered, a browser window will be opened, asking for your human input.  Once you submit that, the scan will proceed.  Technically only the single Thread that encountered that tagged field will be Paused waiting on your input.  the other Requestor Threads operate with their own session state (default configuration) and they will continue scanning in the background, unabated, until or unless they also encounter that tagged input field.