OWASP Automated Threats - OAT-005 Scalping
Introduction:
In this OWASP Automated Threat Article we'll be highlighting OAT-005 Scalping with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll wrap it up by highlighting F5 XC Bot Defense to show how we solve this problem for our customers.
Scalping Description:
Acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.
Although Scalping may include monitoring awaiting availability of the goods or services, and then rapid action to beat normal users to obtain these. Scalping includes the additional concept of limited availability of sought-after goods or services, and is most well known in the ticketing business where the tickets acquired are then resold later at a profit by the scalpers.
OWASP Automated Threat (OAT) Identity Number
Threat Event Name
Scalping
Summary Defining Characteristics
Obtain limited-availability and/or preferred goods/services by unfair methods.
OAT-005 Attack Demographics:
| Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
| Entertainment | Many Users | NA |
Bulk purchase |
High peaks of traffic for certain limited-availability goods or services |
| Financial | Application Owner | Purchase automation |
Increased circulation of limited goods reselling on secondary market |
|
| Retail | Purchase bot |
|
||
| Queue jumping | ||||
| Ticket Scalping |
Scalping Demo:
In this demo we will be showing a simple example of how automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
In Conclusion:
Scalping Bots are a real problem for organization and customers as they are made up of a vast ecosystem to acquire large amounts of inventory at scale to be sold for a profit. F5 has the solutions to provide superior efficacy to interrupt and stop this unwanted automation.OWASP Links
- OWASP Automated Threats to Web Applications Home Page
- OWASP Automated Threats Identification Chart
- OWASP Automated Threats to Web Applications Handbook
F5 Related Content
- Deploy Bot Defense on any Edge with F5 Distributed Cloud (SaaS Console, Automation)
- F5 Bot Defense Solutions
- The OWASP Automated Threats Project
- OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
- OWASP Automated Threats - Credential Stuffing (OAT-008)
- OWASP Automated Threats - OAT-001 Carding
- Operationlizing Online Fraud Detection, Prevention, and Response
- JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)
- How Attacks Evolve From Bots to Fraud Part: 1
- How Attacks Evolve From Bots to Fraud Part: 2
- F5 Distributed Cloud Bot Defense
