More Support for Complex Authentication Flows: TOTP MFA and Text-Based CAPTCHA
This June, we’re making it easier to test real-world applications with complex authentication flows without sacrificing automation.
Security teams need to test applications exactly as they exist in production, including MFA and CAPTCHA-protected flows. Historically, these protections aren’t "scanner-friendly" and often introduce friction into DAST workflows.
With our new TOTP MFA and AI-powered text CAPTCHA solving, Escape now enables fully automated testing on applications protected by these mechanisms, reducing frustrations from broken scans and incomplete coverage.
Ready to see how it works and set it up for your workflows? Dive right in below.
MFA using Time-Based One-Time Passwords (TOTP) is now fully supported
We are excited to announce that Multi-Factor Authentication (MFA) using Time-Based One-Time Passwords (TOTP) is now fully supported in our Web App Scanner!
The use of multi-factor authentication (MFA) significantly enhances identity security by introducing an additional layer of verification beyond traditional login credentials. While this strengthens protection against unauthorized access, it can present a challenge for most of the DAST tools since they are typically designed for unattended execution, where manual interaction, such as approving a sign-in request or entering a time-sensitive code, can disrupt the automation workflow.
With the new support for TOTP-based MFA, Escape’s DAST scanner is now fully equipped to handle these scenarios. You can securely test web applications protected by MFA without needing manual intervention during the scanning process. This means you can automate the security testing of applications that require MFA, ensuring comprehensive coverage while maintaining a streamlined workflow.
Getting started is easy! Just use the Browser Agent
authentication preset. Here's an example setup:
presets:
- type: browser_agent
login_url: https://auth.example.com/login
users:
- username: frontend-user-with-totp@example.com
password: pass
post_login_actions:
- action: fill_totp
auto_submit: true
locator: input[id="totp-input"]
secret: '123456'
Learn how to configure this preset for your needs in our documentation!
AI-powered text-based CAPTCHA solving is now also supported
You can now also automate text-based CAPTCHA solving for your web app testing with Escape!
Text-based CAPTCHAs with combinations of letters and numbers are widely used to prevent automated bots from accessing web applications.
However, these CAPTCHAs often block automated security scanners from authenticating and testing protected areas of your application, requiring manual workarounds to proceed with security testing.
With the new support for AI-powered text-based CAPTCHA solving, Escape’s DAST scanner is now fully equipped to handle these scenarios. You can securely automate testing for web applications protected by text-based CAPTCHAs without manual intervention during the scanning process.
Getting started is easy! Just configure the SolveCaptchaAction object variables under Browser Actions
authentication preset or in post_login_actions
in the BrowserAgent
. Here's an example setup:
presets:
- type: browser_actions
login_url: https://example.com/login
logged_in_detector_timeout: 10
stealth_mode: false
users:
- username: frontend-user@example.com
actions:
- action: fill
auto_submit: false
locator: input[name="username"]
value: user@escape.tech
- action: solve_captcha
auto_submit: true
locator: input[name="captcha-input-box"]
Learn how to configure this preset for your needs in our documentation:
Two easy ways to update your authentication settings
To set up or update authentication settings, you can choose the method that fits your workflow best:
- via the Configuration tab directly in the SaaS
Head over to your dedicated app authentication settings by updating your-scan-id
in the following link: https://app.escape.tech/scan/your-scan-id/settings/scan/authentication/
From here, you can configure your MFA or CAPTCHA authentication presets and save.
- via Escape CLI
For teams managing scanning via the Escape CLI locally or in their CI pipelines, you can update your configurations using one of the following commands:
escape-cli applications update-config 00000000-0000-0000-0000-000000000000 config.json
escape-cli applications update-config 00000000-0000-0000-0000-000000000000 config.yaml
Replace the UUID with your Application ID and push your YAML/JSON configuration files, keeping your CI/CD pipeline fully automated.
Stay tuned as we roll out support for configuring these new authentication presets via the Public API and Escape Copilot, making it even easier to adapt to your workflows.
With these new updates, you should be able to run your DAST scans without a glitch. Let us know what you think in our Discord community or reach out if you want to see Escape DAST in action.
You might also want to explore these powerful Escape features: