OWASP Automated Threats - OAT-005 Scalping

Introduction:

In this OWASP Automated Threat Article we'll be highlighting OAT-005 Scalping with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll wrap it up by highlighting F5 XC Bot Defense to show how we solve this problem for our customers.

Scalping Description:

Acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.

Although Scalping may include monitoring awaiting availability of the goods or services, and then rapid action to beat normal users to obtain these. Scalping includes the additional concept of limited availability of sought-after goods or services, and is most well known in the ticketing business where the tickets acquired are then resold later at a profit by the scalpers.

OWASP Automated Threat (OAT) Identity Number

OAT-005

Threat Event Name

Scalping

Summary Defining Characteristics

Obtain limited-availability and/or preferred goods/services by unfair methods.

OAT-005 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Entertainment Many Users NA

Bulk purchase

High peaks of traffic for certain limited-availability goods or services

Financial Application Owner   Purchase automation

Increased circulation of limited goods reselling on secondary market

Retail     Purchase bot

 

      Queue jumping  
      Ticket Scalping  

Scalping Demo:

In this demo we will be showing a simple example of how automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.

In Conclusion:

Scalping Bots are a real problem for organization and customers as they are made up of a vast ecosystem to acquire large amounts of inventory at scale to be sold for a profit. F5 has the solutions to provide superior efficacy to interrupt and stop this unwanted automation.

OWASP Links

F5 Related Content

Updated Apr 27, 2023
Version 3.0

Was this article helpful?