OWASP Automated Threat (OAT– 021) Denial of Inventory

Denial of Inventory – Deplete goods or services stock without ever completing the purchase or committing to the transaction.

What is Denial of Inventory?

Selection and holding of items from a limited inventory or stock, but which are never actually bought, or paid for, or confirmed such that other users are unable to buy/pay/confirm the items themselves.

Denial of Inventory is most commonly thought of as taking Ecommerce items out of circulation by adding many of them to a cart/basket, the attacker never actually proceeds to checkout to buy them but contributes to a possible stock-out condition. A variation of this automated threat event is making reservations (e.g., hotel rooms, restaurant tables, holiday bookings, flight seats), and/or click-and-collect without payment. But this exhaustion of inventory availability also occurs in other types of web application such as in the assignment of non-goods like service allocations, product rations, availability slots, queue positions, and budget apportionments.

Denial of Inventory is also known by the terms such as hoarding, hold all attack, inventory depletion, inventory exhaustion and stock exhaustion.

The Symptoms of Denial of Inventory

OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of denial of inventory. These include,

1. Inventory balances reduce quickly


2. Increased stock held in baskets or reservations


3. Elevated basket abandonment


4. Reduced use of payment step


5. Increasing complaints from users being unable to obtain goods or services

Sectors Targeted by Denial of Inventory

Denial of inventory attacks are aimed at a variety of sectors including education, entertainment, financial, government, health, technology and retail industries.

OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, says denial of inventory involves exhaustion of goods or services stock without completing the transaction.

OWASP, says data commonly misused in denial of inventory includes authentication credentials, payment cardholder data and other financial data, medical data and other personal data, intellectual property and other business data and public information.

Ways to Prevent Denial of Inventory Security Threat

OWASP suggests several possible countermeasures for organizations to address the threat of denial of inventory. These include,

1. Consider randomizing the content and URLs of content, linking these changes to an individual user’s session, verifying the changes at each request, and restricting any identified automated usage.


2. Defining test cases for denial of services that confirm an application will detect or prevent the users attempting to scalp the data.


3. Companies can also identify and restrict automated usage by fingerprinting before a denial of service attack can occur.


4. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

These are the primary security checks against denial of inventory attacks, but few dedicated fraudsters will go beyond the lengths to straighten their denial of inventory effort often operating through privacy browsers, VPN, proxy servers to blur their online identity. Above mentioned are the few security measures that help fight back against malicious users such as denial of inventory, without causing harm to your legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents denial of inventory attacks and even other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots. Bot mitigation solution can block all automated ways to expedite actions on websites by bots.

These security measures help you build a greater defense against denial of inventory attacks targeting to exhaust goods/services without proceeding to the transaction.