Skip to content

Captcha Handling

Problem: Your application uses CAPTCHA to prevent automated access (by design), but you need to performance-test it anyway.

When Captcha Blocks Load Testing

Captcha exists specifically to stop automated tools, including load testing tools. If a load testing tool could easily bypass captcha, so could every spammer on the internet.

You'll know captcha is blocking your test if:

  • Recording succeeds (you solve the captcha manually during recording)
  • Replay fails because virtual users can't solve the captcha
  • Application returns "captcha failed" or similar errors during load testing

Common captcha types:

  • Image-based: "Type the text you see in the image" (reCAPTCHA v1, traditional captcha)
  • Checkbox: "I'm not a robot" checkbox (reCAPTCHA v2)
  • Invisible: Background analysis without user interaction (reCAPTCHA v3, hCaptcha invisible)
  • Puzzle-based: "Drag the slider to complete the puzzle" (hCaptcha, GeeTest)

Three Options for Load Testing with Captcha

None of these options bypass captcha. They all require cooperation from your development or operations team. That's the nature of the problem.

What: Configure the application to skip captcha validation in the test environment.

Why this is best:

  • ✅ No code changes to the load testing tool required
  • ✅ Realistic load testing (all other application logic runs normally)
  • ✅ No security risk (only affects test environment, not production)
  • ✅ Fastest replay performance (no captcha delay)

How:

  1. Coordinate with development team: Ask them to add a configuration flag to disable captcha in non-production environments
  2. Example: if (environment == "production") { validate_captcha(); }
  3. Deploy to test environment with captcha disabled
  4. Run load test against test environment

Security note: Ensure the captcha-disabled configuration cannot be deployed to production (use environment variables, separate config files, or deployment gates to prevent mistakes).

Option 2: Configure Captcha to Accept Any Value

What: Configure the captcha service to accept any input as valid (no actual validation).

Why this works:

  • ✅ Load Tester can replay the recorded captcha response (which will be accepted)
  • ✅ No changes to the test case required
  • ✅ Application logic proceeds normally after "passing" captcha

How:

  1. Coordinate with development team: Ask them to configure the captcha service in "test mode"
  2. reCAPTCHA: Google provides a test site key that always accepts any response
  3. Test site key: 6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
  4. Test secret key: 6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
  5. Replace production keys with test keys in the test environment
  6. Custom captcha: Add a bypass mode that skips validation but logs attempted solutions
  7. Run load test with any captcha value (the recorded value, or a dummy value)

Security note: Test keys must NOT be used in production.

Option 3: Expose Captcha Answer in the HTML (Advanced)

What: During load testing, the captcha service embeds the correct answer somewhere in the HTML where Load Tester can extract it.

Why this works:

  • ✅ Simulates the captcha-solving process (extract → submit)
  • ✅ Tests the full application flow including captcha submission

How:

  1. Coordinate with development team: Ask them to add a hidden field or HTML comment containing the captcha answer
  2. Example: <input type="hidden" id="captcha_answer" value="abc123"> or <!-- CAPTCHA_ANSWER:abc123 -->
  3. Configure an extractor in Load Tester to capture the answer (see JavaScript Cookies for the extractor/processor workflow)
  4. Configure a field modifier to set the captcha field to the extracted value
  5. Run load test

Security note: This HTML-embedded answer must be removed before deploying to production. Use feature flags or environment-specific templates to ensure it only appears in test environments.

For most teams: Option 1 (disable captcha) is simplest and safest.

If you must test captcha logic: Option 2 (accept any value) tests the captcha submission flow without requiring extractors.

For advanced scenarios: Option 3 (embed answer) simulates realistic captcha-solving behavior, but requires careful coordination to avoid accidentally deploying the answer-embedding code to production.

Ask the AI About Captcha Configuration

If you need help coordinating with your development team or configuring extractors:

My application uses reCAPTCHA and I need to performance-test it. What's the
safest way to configure the test environment so Load Tester can bypass the
captcha without compromising production security?

The AI can:

  • Recommend the best option based on your captcha type and environment
  • Generate example configuration for reCAPTCHA test keys
  • Explain how to configure extractors if you choose Option 3
  • Provide sample code for development team (feature flags, environment checks)
  • Verify that your test configuration doesn't affect production
  • Troubleshoot captcha-related replay failures