OWASP Automated Threats

Obtain limited-availability and/or preferred goods/services by unfair methods.

What is Scalping?

Acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.

Although Scalping may include monitoring awaiting availability of the goods or services, and then rapid action to beat normal users to obtain these, Scalping is not a “last minute” action like OAT-013 Sniping, nor just related to automation on behalf of the user such as in OAT-006 Expediting. This is because Scalping includes the additional concept of limited availability of sought-after goods or services, and is most well known in the ticketing business where the tickets acquired are then resold later at a profit by the scalpers/touts. This can also lead to a type of user denial of service since the goods or services become unavailable rapidly.

Scalping is also known by terms such as bulk purchase, purchase automaton, purchase bot, restaurant table/hotel room reservation speed-booking, queue jumping, sale stampede, secondary ticketing, ticket resale, ticket scalping, ticket touting.


The symptoms of Scalping

  • 1
    High peaks of traffic for certain limited-availability goods or services
  • 2
    Increased circulation of limited goods reselling on the secondary market


Sectors targeted by Scalping

  • Entertainment
  • Financial
  • Retail


Can InfiSecure prevent Scalping?

InfiSecure’ advanced bot protection solution can protect websites from Scalping. InfiSecure can identify and restrict automated usage by fingerprinting the user agent for its unique characteristics and also restrict automated usage by reputation methods. InfiSecure blocks the most advanced persistent bots engaged in Scalping.