on
28-Dec-2022
05:00
- edited on
27-Apr-2023
14:32
by
LiefZimmerman
In this OWASP Automated Threat Article we'll be highlighting OAT-005 Scalping with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll wrap it up by highlighting F5 XC Bot Defense to show how we solve this problem for our customers.
Acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.
Although Scalping may include monitoring awaiting availability of the goods or services, and then rapid action to beat normal users to obtain these. Scalping includes the additional concept of limited availability of sought-after goods or services, and is most well known in the ticketing business where the tickets acquired are then resold later at a profit by the scalpers.
Scalping
Obtain limited-availability and/or preferred goods/services by unfair methods.
Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
Entertainment | Many Users | NA |
Bulk purchase |
High peaks of traffic for certain limited-availability goods or services |
Financial | Application Owner | Purchase automation |
Increased circulation of limited goods reselling on secondary market |
|
Retail | Purchase bot |
|
||
Queue jumping | ||||
Ticket Scalping |
In this demo we will be showing a simple example of how automation is used to monitor and wait for goods or services to become available and then take rapid action to beat normal users to obtain them. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.