Handling Captcha/Email/Mobile OTPs
Pentest Copilot handles verification codes and captchas automatically while you record a login. Record once, the platform re-authenticates on every later test run.
What the platform handles
Email OTP
Type the monitored email on the target form
Magic link
Type the monitored email
SMS OTP
Type the monitored phone number
TOTP (authenticator app)
Paste the Base32 secret into the TOTP helper
Captcha
Nothing
Where to find the monitored email and phone
Open Browser Session Manager, click Record Session. An info notice at the top shows both values as copyable chips. Use those exact values on the target app.
Email OTP and magic links
Standard login
Type the monitored email, submit, wait.
Unique-per-account signup
Append a suffix, e.g. [email protected]. Gmail routes it to the same inbox.
Target blocks the address
Ask your Bugbase contact to rotate to a domain the target accepts.
The platform reads the incoming mail, extracts the code or opens the magic link, and continues.
SMS OTP
Type the monitored phone in E.164 format, for example +1XXXXXXXXX. If the target splits country code and local number into separate inputs, put +1 (or whatever prefix is shown) in the country-code field and the rest in the local-number field.
The platform reads the incoming text, extracts the code, and types it.
TOTP (authenticator apps)
When the target shows a QR code or Base32 secret during authenticator setup:
1
Click the TOTP button in the recording toolbar
2
Paste the Base32 secret, e.g. JBSWY3DPEHPK3PXP
3
When the target asks for a code, click the OTP field. The platform types the current 6-digit code.
The secret saves with the session. On every future run, the platform regenerates the current code and types it.
Captcha
Nothing to do. The platform detects and solves:
reCAPTCHA v2 and v3
hCaptcha
Cloudflare Turnstile
Image, text, and audio puzzles
If a captcha sticks (rare, usually a new variant), solve it manually during recording and flag it to Bugbase.
Recording checklist
1
Open Browser Session Manager, Record Session tab
2
Note the monitored email and phone in the info notice
3
Use those values wherever the target asks for email or phone
4
For TOTP, use the helper button when the target shows a secret
5
Let captchas resolve on their own
6
Finish the login, stop recording, save
FAQ
Is the displayed inbox real?
Yes. It's assigned to your workspace and polled continuously.
Does every session share the same email and phone?
Yes. They're workspace-wide and stay the same across all your recorded sessions.
What if a code expires before it's used?
Polling runs every few seconds, so timeouts are rare. Failed runs are flagged for re-recording.
Is my TOTP secret secure?
It's stored inside the session record in your workspace, not shared across tenants.
Do I need my own Capsolver or 2Captcha account?
No. Captcha solving is included.
On-premise or custom tenant?
If you're running Pentest Copilot on your own infrastructure or need a dedicated email / phone (e.g. because the target allow-lists specific domains), we can swap in values you provide. Share the address and number during onboarding and the chips on your dashboard will update automatically. Captcha auto-solve can also be disabled per deployment when manual solving is required for an engagement.
Last updated