OWASP Automated Threats - OAT-013 Sniping
Introduction:
In this OWASP Automated Threat Article we'll be highlighting OAT-013 Sniping with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll explain how sniping works to leave insufficient time for another user to bid on a product. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.
Sniping Description:
The defining characteristic of Sniping is an action undertaken at the latest opportunity to achieve a particular objective, leaving insufficient time for another user to bid/offer. Sniping can also be the automated exploitation of system latencies in the form of timing attacks. Careful timing and prompt action are necessary parts. It is most well known as auction sniping, but the same threat event can be used in other types of applications. Sniping normally leads to some disbenefit for other users, and sometimes that might be considered a form of denial of service.In contrast, OAT-005 Scalping is the acquisition of limited availability of sought-after goods or services, and OAT-006 Expediting is the general hastening of progress.
OWASP Automated Threat (OAT) Identity Number
Threat Event Name
Sniping
Summary Defining Characteristics
Last minute bid or offer for goods or services.
OAT-013 Attack Demographics:
| Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
| Entertainment | Few Individual Users | Other Financial Data | Auction Sniping |
Elevated basket abandonment |
| Financial | Application Owner | Other Business Data | Bid Sniper |
Reduced average basket price |
| Retail | Third Parties | Last Minute Bet |
Higher proportion of failed payment authorisations |
|
| Disproportionate use of the payment step | ||||
| Increased chargebacks | ||||
| Multiple failed payment authorizations from the same user and/or IP address and/or User Agent and/or session and/or deviceID/fingerprint |
Sniping Presentation:
In this presentation we will be discussing how attackers leverage automation to execute sniping bids against the application to win last second bids. We'll then show you how to quickly protect you application with F5 Distributed Cloud Bot Defense.
In Conclusion:
Sniping remains a very common practice to win auctions where bidding is based on timing and last minute execution of that bid. It is very preventable if appropriate anti-automation controls are put into place.
OWASP Links
- OWASP Automated Threats to Web Applications Home Page
- OWASP Automated Threats Identification Chart
- OWASP Automated Threats to Web Applications Handbook
F5 Related Content
- F5 Bot Defense Solutions
- The OWASP Automated Threats Project
- OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
- Operationlizing Online Fraud Detection, Prevention, and Response
- JavaScript Supply Chains, Magecart, and F5 XC Client-Side Defense (Demo)
- How Attacks Evolve From Bots to Fraud Part: 1
- How Attacks Evolve From Bots to Fraud Part: 2
- F5 Distributed Cloud Bot Defense
Updated Apr 27, 2023
Version 2.0
Ted_Byerly
Ret. Employee
Joined May 16, 2019
Kyle_Roberts
Employee
EmployeeJoined September 13, 2021
No CommentsBe the first to comment