More Support for Complex Authentication Flows: TOTP MFA and Text-Based CAPTCHA

This June, we’re making it easier to test real-world applications with complex authentication flows without sacrificing automation.

Security teams need to test applications exactly as they exist in production, including MFA and CAPTCHA-protected flows. Historically, these protections aren’t "scanner-friendly" and often introduce friction into DAST workflows.

With our new TOTP MFA and AI-powered text CAPTCHA solving, Escape now enables fully automated testing on applications protected by these mechanisms, reducing frustrations from broken scans and incomplete coverage.

Ready to see how it works and set it up for your workflows? Dive right in below.

MFA using Time-Based One-Time Passwords (TOTP) is now fully supported

We are excited to announce that Multi-Factor Authentication (MFA) using Time-Based One-Time Passwords (TOTP) is now fully supported in our Web App Scanner!

The use of multi-factor authentication (MFA) significantly enhances identity security by introducing an additional layer of verification beyond traditional login credentials. While this strengthens protection against unauthorized access, it can present a challenge for most of the DAST tools since they are typically designed for unattended execution, where manual interaction, such as approving a sign-in request or entering a time-sensitive code, can disrupt the automation workflow.

With the new support for TOTP-based MFA, Escape’s DAST scanner is now fully equipped to handle these scenarios. You can securely test web applications protected by MFA without needing manual intervention during the scanning process. This means you can automate the security testing of applications that require MFA, ensuring comprehensive coverage while maintaining a streamlined workflow.

Getting started is easy! Just use the Browser Agent authentication preset. Here's an example setup:

presets:
-   type: browser_agent
    login_url: https://auth.example.com/login
    users:
    -   username: frontend-user-with-totp@example.com
        password: pass
        post_login_actions:
        -   action: fill_totp
            auto_submit: true
            locator: input[id="totp-input"]
            secret: '123456'

Learn how to configure this preset for your needs in our documentation!

AI-powered text-based CAPTCHA solving is now also supported

You can now also automate text-based CAPTCHA solving for your web app testing with Escape!

Text-based CAPTCHAs with combinations of letters and numbers are widely used to prevent automated bots from accessing web applications.

However, these CAPTCHAs often block automated security scanners from authenticating and testing protected areas of your application, requiring manual workarounds to proceed with security testing.

With the new support for AI-powered text-based CAPTCHA solving, Escape’s DAST scanner is now fully equipped to handle these scenarios. You can securely automate testing for web applications protected by text-based CAPTCHAs without manual intervention during the scanning process.

Getting started is easy! Just configure the SolveCaptchaAction object variables under Browser Actions authentication preset or in post_login_actions in the BrowserAgent. Here's an example setup:

presets:
-   type: browser_actions
    login_url: https://example.com/login
    logged_in_detector_timeout: 10
    stealth_mode: false
    users:
    -   username: frontend-user@example.com
        actions:
        -   action: fill
            auto_submit: false
            locator: input[name="username"]
            value: user@escape.tech
        -   action: solve_captcha
            auto_submit: true
            locator: input[name="captcha-input-box"]

Learn how to configure this preset for your needs in our documentation:

• Browser Actions
• Browser Agent

Two easy ways to update your authentication settings

To set up or update authentication settings, you can choose the method that fits your workflow best:

1. via the Configuration tab directly in the SaaS

Head over to your dedicated app authentication settings by updating your-scan-id
in the following link: https://app.escape.tech/scan/your-scan-id/settings/scan/authentication/

From here, you can configure your MFA or CAPTCHA authentication presets and save.

2. via Escape CLI

For teams managing scanning via the Escape CLI locally or in their CI pipelines, you can update your configurations using one of the following commands:

escape-cli applications update-config 00000000-0000-0000-0000-000000000000 config.json

escape-cli applications update-config 00000000-0000-0000-0000-000000000000 config.yaml

Replace the UUID with your Application ID and push your YAML/JSON configuration files, keeping your CI/CD pipeline fully automated.

Stay tuned as we roll out support for configuring these new authentication presets via the Public API and Escape Copilot, making it even easier to adapt to your workflows.

With these new updates, you should be able to run your DAST scans without a glitch. Let us know what you think in our Discord community or reach out if you want to see Escape DAST in action.

You might also want to explore these powerful Escape features:

• Complex authentication in DAST scans
• Meet Escape Copilot: Automate App and Scan Management via MCP
• From Alert to Action: Escape’s Jira Integration Explained
• Kickstart 2025 with New DAST Scanner Features