OWASP Denial Of Inventory Vs Automated Scalping
We’ve all been there. Your favorite band or Broadway show announces a full-scale tour, including a date at a hometown venue. But when tickets finally go on sale, you view available seats online only to find that every seat in the house is already sold. Did the other hundreds or thousands of fans hoping to get tickets beat you to the punch? Hardly. More likely than not, your desired seats have been snatched up by ticketing bots.
This is a common example of automated scalping, defined by the Open Web Application Security Project (OWASP) as obtaining limited-availability and/or preferred goods/services by unfair methods. But while such scalping is infuriating on its own, bots have another similar ploy.
Wreaking havoc on the user experience, denial of inventory means that bona fide purchasers can’t gain access to items they seek. Even more frustrating is that inventory remains available, but malicious users are hoarding it. Having artificially created an out of stock condition, this enables them to arbitrage inventory at dramatically higher prices. And it’s a win-win for them— they only purchase the targeted items if their own marked-up listing sells. There is virtually no way for them to lose money on this “deal.”
This automated threat also impacts the travel industry by reserving hotel rooms and airline seats. Never actually proceeding as far as checkout for their spot, the perp potentially contributes to a negative price impact for consumers.
Even though this threat was only recently named, Distil Networks has been protecting websites, mobile apps, and APIs from denial of inventory attacks for years.
Does this type of threat sound familiar to you? Get in touch with us today to learn how Distil can help block all automated threats.
And take a look at the latest version of OWASP’s Automated Threats Handbook for more information about the ever-evolving bot landscape.
About the Author
Bobby comes to Distil Networks as a technical writer with previous software documentation experience in both the public and private sectors. He is responsible for working with Distil’s Product Marketing team to develop detailed documentation and online help, including Knowledge Base articles, in-app help, user guides, and more. He spends his free time with his wife, son, daughter, and dog, and writes for a few music outlets, including AdHoc, Decoder Magazine, Thump/Vice, and Creative Loafing.More Content by Bobby Power