Ok, ok - don't downvote this.<p>I'm wonder how a vulnerability scanner of a web application tries to scan for vulnerabilities like XSS, SQL injection if a lot of web servers block automated form submission from happening through measures like Captcha, etc ?<p>Please leave your answer in comments.