Testing reCAPTCHA sites with mabl

Testing reCAPTCHA sites with mabl Eric Tatar November 6, 2019

March 19, 2026 · 4 min read · Testing Guide

Testing reCAPTCHA sites with mabl

Eric Tatar
November 6, 2019

One struggle we ’ ve constantly run into when trying to make mabl usable on all web covering is go pastreCAPTCHA. Few thing stop mabl in its path like anti-bot security. After all, mabl is a bot, so with reCAPTCHA just doing its job, it constantly show pretty much impossible to get mabl tryout running on an app that uses it. When you train a test on a reCAPTCHA site, everything appears to act fine because you ’ re accessing the situation on your own scheme, create reCAPTCHA see it as “ real traffic ”. Once you go to run the test in the mabl app through our execution locomotive, though, the traffic is instead seen as a bot trying to access that same site. This actuate the infamous square photos popup and mess up any tests that undertake to snap through the reCAPTCHA or access the content on the site.

For a long time, reCAPTCHA seemed like an insurmountable barrier, leaving any situation that use it antagonistic with mabl. Then, a few weeks ago, one of our customers told us about a way their team had solve the issue usinga solution in the Google Dev FAQs on running automated test with reCAPTCHA. This response sounded uncomplicated, and the changes needed to get it act seemed easily surmountable to get it working, so we decided to test it out for ourselves and see if these modification could actually let mabl access reCAPTCHA protected sites.

Testing reCAPTCHA with mabl

To set up a mock “ test environment ”, Don McNamara, one of our package engineer, created a test page with two versions of reCAPTCHA v2 buttons on it, one that was set up normally and another whose key had be change to one of the predefined keys delimit by Google for test environment. He besides added reCAPTCHA v3 behind the scenes along with a button that generated the reCAPTCHA v3 curl command you can use to see if the traffic detected from the current session is considered a bot.

The test page for quiz the different form of reCAPTCHA

Next, we discipline a exam using the mabl trainer where we clicked on both versions of reCAPTCHA v2 and then looked at the playback to see what the results looked like. While training the test, both clicks stimulate a dark-green check mark to appear in the boxes, but when we looked at the screenshots in mabl for the first test run, we saw that clicking the non-modified reCAPTCHA v2 did not bring up the dark-green checkmark, but the frightening painting puzzle.

mabl can ’ t be trained to click the right icon, which is understandable with reCAPTCHA be created to stop bots, so this would totally stop any tryout designed to go any further into the site from continuing. On the other hand, clicking the modified adaptation of reCAPTCHA v2 did stage the green checkmark during both the grooming and in the test run screenshots, showing that the modified tests keys did allow mabl to bypass v2.

The green check marks appear in both boxes during training ...

... but simply on the modified reCAPTCHA box when running through the mabl app

To test v3, we set up an echo step while training the examination that revert the scroll bid for that specific test execution in the mabl app.

SUSA automates exploratory testing with persona-driven behavior, catching bugs that scripted automation misses.

The test that gives us the curl bidding for this run of the test

We then put the result from the first test run into a local terminal window, which gave us a response showing us that for that specific, execution engine created test run, mabl was not considered bot traffic. However, we be about to run into a problem with v3.

reCAPTCHA v3: The Problem

Here ’ s a little information about how reCAPTCHA v3 categorizes incoming traffic: it designate the traffic a grade from 0 to 1 on how legit the traffic is, with 1 being utterly legit and 0 being whole illegitimate, or bot traffic. Since it ’ s pretty much impossible for the package to be absolutely sure one way or the former, the most common results are 0.9 and 0.1, for nigh certainly legit and almost certainly bot traffic. We set the v3 test to run on the hour every hr in 4 different browsers over the weekend so we could see what tally the test runs got. When Don set up the page, we had resolve to not have reCAPTCHA v3 stop any traffic, no subject the score it got. Here ’ s the results from the weekend:

As you can see, reCAPTCHA v3 initially saw the test runs as low risk on Thursday, Friday, and for around one-half of Saturday, and gave them a score of 0.9. However, it so started watch them as eminent risk through the rest of the day Saturday and throughout Sunday, giving them a grade of 0.1. While the change to v3 proved initially successful in getting mabl test execution viewed as legitimate, over time the test runs again started being regarded as bot traffic.

As of right now, we haven ’ t found a way to do this traffic be considered legitimate for an indefinite amount of time. I createda poston StackOverflow that could provide answers in the future. Until then, make sure to constantly check your v3 solution page or set up your application to provide some feedback when bot traffic is detected and you may hopefully detect more success than we did.

On the other hand, if your team is using reCAPTCHA v2, you should now hold no trouble let your test environment set up to work with mabl, meaning you can start extend automated tests without worrying about reCAPTCHA. & nbsp;

You can try mabl out for yourself.

UPDATE: This is what our traffic report seem like after another workweek:

You can see that the traffic has continued to be witness as high risk and afford scores of 0.1, so once mabl get-go being find as a bot by v3, it keep to be seen as one.

Quality Engineering Resources

Automate This With SUSA

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts needed.

Try SUSA Free

Test Your App Autonomously

Upload your APK or URL. SUSA explores like 10 real users — finds bugs, accessibility violations, and security issues. No scripts.

Try SUSA Free