What This Article Covers

This article explains why CAPTCHA services can interfere with automated security scans and provides a recommended solution: allowlisting Astra's scanner IP addresses. It details how to configure IP allowlisting for common CAPTCHA services like Google reCAPTCHA and security platforms like Auth0, ensuring your web applications can be effectively scanned for vulnerabilities.

Who Should Read This

This article is for anyone attempting to scan web applications protected by CAPTCHA services, including security professionals, developers, and system administrators. It is particularly relevant for users experiencing incomplete scan results or missed vulnerabilities due to CAPTCHA interference.

Why This Matters

CAPTCHA implementations, while essential for preventing automated abuse, can inadvertently block legitimate security scanners, leading to incomplete vulnerability assessments. By properly configuring your CAPTCHA to allowlist Astra's scanner IPs, you ensure comprehensive scan coverage, accurate vulnerability detection, and the overall security of your web applications without compromising user protection.

Configuring CAPTCHA for Comprehensive Web Application Scans

1. Understanding Why CAPTCHA Blocks Security Scanners

CAPTCHA solutions are specifically designed to stop automated bots. Since security scanners simulate automated activity to thoroughly probe your application, CAPTCHA may block or interrupt these requests. This can lead to:

• Incomplete scans: The scanner cannot access all parts of your application.

• Missed vulnerabilities: Critical security flaws might go undetected.

• False-negative results: The scan might report no vulnerabilities when issues actually exist.

To avoid these issues, we highly recommend excluding Astra’s scanner IPs from CAPTCHA challenges. [Insert Screenshot]

2. Recommended Solution: Allowlist Astra Scanner IPs

By allowlisting Astra IP Ranges, you can exempt Astra’s scanner from CAPTCHA challenges while maintaining full protection for your regular users.

Security Note: Always ensure IP allowlisting is used only for trusted services like Astra, and keep your allowlist updated to avoid exposing your application to unwanted traffic. [Insert Screenshot]

3. Steps to Allowlist Astra Scanner IPs in Google reCAPTCHA

Google reCAPTCHA (v3 and Enterprise) supports the allowlisting of IP addresses to exclude trusted sources from CAPTCHA enforcement.

Reference: Please refer to Google’s official documentation for instructions: Allowlist IP addresses for reCAPTCHA

Once you’ve added Astra’s scanner IPs to the allowlist, CAPTCHA will no longer block or interfere with scans from our engine.

4. Steps to Allowlist Scanner IPs in Auth0

Auth0’s Attack Protection suite includes features like Bot Detection, Brute-force Protection, and Suspicious IP Throttling. These features are designed to block or challenge traffic from automated sources, which can include security scanners like Astra’s. To ensure uninterrupted and complete scanning, you can allowlist Astra’s scanner IPs within your Auth0 configuration.

Step 4.1: Log in to Auth0 Dashboard and Navigate to Security

Log in to the Auth0 Dashboard. Go to Security > Attack Protection.

Step 4.2: Select Protection Feature

Select the specific protection feature you want to configure (e.g., Bot Detection). [Insert Screenshot]

Step 4.3: Manage IP Addresses

Scroll to the Manage IP addresses (IP AllowList) section. [Insert Screenshot]

Step 4.4: Add Astra's Scanner IP Addresses

Add Astra’s scanner IP addresses or subnets. Ensure you add all relevant IP ranges provided by Astra. [Insert Screenshot]

Step 4.5: Save Changes

Save your changes. [Insert Screenshot]

This configuration will exempt Astra’s scanner from being flagged or blocked by Auth0’s protective mechanisms during your security assessments.

Official Documentation:Configure Bot Detection – Auth0 Docs

Need help? Raise a support ticket anytime from your Astra dashboard.