Many applications have implemented anti-bot protection mechanism such as Captcha. Depending on the used Captcha, the agents can automatically solve these.
Below is a list of challenge types that the agents can solve autonomously and no additional actions are required.
ReCaptcha v2 - no ip-check configured
ReCaptcha v3 - no ip-check configured
reCAPTCHA v2 Enterprise
reCAPTCHA v3 Enterprise
Cloudflare Turnstile
Geetest v3 / v4
ImageToText
The following Captchas our agents cannot solve automatically. For the pentest to proceed, the following additional actions are required.
hCaptcha
hCaptcha does not provide allowlisting from within their portal. These Captcha exclusions must be implemented in the codebase.
ReCaptcha v2 - ip-check configured
Exclude the Aikido IPs using the following allowlist instructions
ReCaptcha v3 - ip-check configured
Exclude the Aikido IPs using the following allowlist instructions
When reCAPTCHA is configured without IP checks, validation does not depend on the client’s IP address. Google instead evaluates non-IP signals (such as browser behavior and execution context), so a token can still be validated even if it is submitted from a different IP.
When IP checks are enabled, reCAPTCHA binds the challenge/token to the originating IP address and expects the same IP during verification. Our agents use multiple IPs to solve checks and bypass bot protections, so validation can fail under IP enforcement.
For this reason, additional IP allowlisting is required when reCAPTCHA IP checks are enabled.
Last updated
Was this helpful?
Was this helpful?
