New Year, New Threat: OWASP Denial of Inventory (OAT-021)

March 19, 2018 Bobby Power

OWASP Denial Of Inventory Vs Automated Scalping

We’ve all been there. Your favorite band or Broadway show announces a full-scale tour, including a date at a hometown venue. But when tickets finally go on sale, you view available seats online only to find that every seat in the house is already sold. Did the other hundreds or thousands of fans hoping to get tickets beat you to the punch? Hardly. More likely than not, your desired seats have been snatched up by ticketing bots.

This is a common example of automated scalping, defined by the Open Web Application Security Project (OWASP) as obtaining limited-availability and/or preferred goods/services by unfair methods. But while such scalping is infuriating on its own, bots have another similar ploy.

Last month, OWASP released an updated version of their Automated Threat Handbook that includes Denial of Inventory (OAT-021). It’s defined as adding ecommerce items to a cart in order to artificially remove them from circulation. The subtle but major difference between denial of inventory and scalping is that the purchase of goods or services is never fully completed by the attacker.
denial of inventory

Wreaking havoc on the user experience, denial of inventory means that bona fide purchasers can’t gain access to items they seek. Even more frustrating is that inventory remains available, but malicious users are hoarding it. Having artificially created an out of stock condition, this enables them to arbitrage inventory at dramatically higher prices. And it’s a win-win for them— they only purchase the targeted items if their own marked-up listing sells. There is virtually no way for them to lose money on this “deal.”

This automated threat also impacts the travel industry by reserving hotel rooms and airline seats. Never actually proceeding as far as checkout for their spot, the perp potentially contributes to a negative price impact for consumers.

Even though this threat was only recently named, Distil Networks has been protecting websites, mobile apps, and APIs from denial of inventory attacks for years.

Does this type of threat sound familiar to you? Get in touch with us today to learn how Distil can help block all automated threats.

And take a look at the latest version of OWASP’s Automated Threats Handbook for more information about the ever-evolving bot landscape.



About the Author

Bobby Power

Bobby comes to Distil Networks as a technical writer with previous software documentation experience in both the public and private sectors. He is responsible for working with Distil’s Product Marketing team to develop detailed documentation and online help, including Knowledge Base articles, in-app help, user guides, and more. He spends his free time with his wife, son, daughter, and dog, and writes for a few music outlets, including AdHoc, Decoder Magazine, Thump/Vice, and Creative Loafing.

More Content by Bobby Power
Previous Article
Anatomy of GiftGhostBot
Anatomy of GiftGhostBot

This infographic shows how the GiftGhostBot works, it's profile, scale and who it effects. Learn about this...

Next Article
Full Transcript and Video: GiftGhostBot Explained
Full Transcript and Video: GiftGhostBot Explained

Distil's Edward Roberts, Director of Product Marketing and Anna Westilius, Senior Director of Security expl...