OWASP Automated Threat (OAT– 005) Scalping

Scalping – Obtain limited availability and/or preferred goods/services by unfair methods.

What is Scalping?

Acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.

Although scalping may include monitoring awaiting availability of the goods or services, and then rapid action to beat normal users to obtain these, scalping is not a last-minute action like OAT– 013 Sniping, nor just related to automation on behalf of the user such as in OAT– 006 Expediting.

This is because scalping includes the additional concept of limited availability of sought-after goods or services and is most well known in the ticketing business where the tickets acquired are then resold later at a profit by the scalper/touts. Scalping can also lead to a type of user denial of service since the goods or services become unavailable rapidly.

Scalping is also known by terms such as bulk purchases, purchase bot, purchase automation, restaurant table/hotel room reservation speed-booking, queue jumping, sale stampede, ticket resale, secondary ticketing, ticket scalping, ticket touting.

The Symptoms of Scalping

OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of scalping. These include,

1. High peaks of traffic for certain limited availability goods or services


2. Increased circulation of limited goods reselling on the secondary market

Sectors Targeted by Scalping

Scalping attacks are aimed at a variety of sectors including entertainment, financial, and retail industries.

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, says scalping involves obtaining limited availability and/or preferred goods or services by unfair methods.

OWASP, says data commonly misused in scalping incidents include authentication credentials, payment cardholder data and other financial data, medical data and other personal data, intellectual property and other business data and public information.

Ways to Prevent Scalping Security Threat

OWASP suggests several possible countermeasures for organizations to address the threat of scalping. These include,

1. Defining test cases for scalping that confirm an application will detect or prevent the users attempting to scalp the data.


2. Consider randomizing the content and URLs of content, linking these changes to an individual user’s session, verifying the changes at each request, and restricting any identified automated usage.


3. Companies can also identify and restrict automated usage by fingerprinting before a scalping attack can occur.


4. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

These are the primary security checks against scalping attacks, but few dedicated fraudsters will go beyond the lengths to straighten their scalping effort often operating through privacy browsers, VPN, proxy servers to blur their online identity. Above mentioned are the few security measures that help fight back against malicious users such as scalping, without causing harm to your legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents scalping attacks and even other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots. Bot mitigation solution can block all automated ways to expedite actions on websites by bots.

These security measures help you build a more significant defense against scalping frauds targeting limited available goods/services around the world.