New Threat on the Rise – Denial of Inventory Attack

OWASP (Open Web Application Security Project), a well known online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security released their first guide called Automated Threat Handbook in late 2015 which purpose is to show all documented threats related to attacks accomplished by leveraging an automated tool, or a otherwise called a “bot” to perform abusive actions against a web property or an API in high volumes.

Recently, their handbook was updated with a new threat that depletes goods or services in stock without ever completing the purchase or committing to the transaction called Denial of Inventory.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

In short – the attacking bots select and hold items from a limited inventory or stock (they add them to their carts), but never actually purchase them. This renders legitimate users unable to buy, pay or confirm the items themselves.

A futuristic robot holding a shopping cart,featuring a sleek design with various sensors and lights.
Image Source

Symptoms

Also known as a Hoarding attack, Denial of Inventory is not a threat that should be ignored, being the symptoms of this specific attack are the following:

  • Inventory balances reduce quickly
  • Increased stock held in baskets, carts or reservations
  • Elevated cart abandonment
  • Reduced use of payment step
  • Increasing complaints from users being unable to obtain goods/services

Targeted Sectors

The first question that anyone reading about this particular subject is about whether their online assets are under threat considering the business sector they operate in.

The usual targeted sectors are the following:

  • eCommerce
  • Travel
  • Education
  • Entertainment
  • Financial
  • Government
  • Health
  • Retail
  • Technology

The Analysis

Even though Denial of Inventory was only just recently added to OWASP’s handbook, the threat has been around for some time now, typically targeting eCommerce websites.

The problem comes from the fact that online stores usually take an item out of the available inventory once it’s added to the shopping cart to enable the user to complete the purchase and not find out that it is out of stock until the checkout is completed. The usual amount of time that the item will be held out of the inventory for a potential new customer is around 10-15 minutes before concluding the shopper has left the website, after that time the item is returned to stock.

A Denial of Inventory bot will proceed to constantly add the item to the shopping cart (in this case every 10-15 minutes) which means that when the cart empties and the items are returned to the inventory, the automated bot will put them back in their cart continuing to do so indefinitely (or until the attack is complete).

Diagram illustrating target URLs, allocation processes, and commitment processes.
Image Source

Technically, a Denial of Inventory attack is a specific form of an Application Layer DDoS attack (Distributed Denial of Service). In a typical DDoS attack, an attacker abuses the application in order to overload the server and prevent it from operating correctly by depleting its available resources.

In this case we’re looking at a business level, logistical denial of service where the user exhausts stock and blocks the website from selling the product and generating expected revenue. It is possible that this type of attack can heavily impact the revenue stream of the retailer by impacting margins, since when it becomes apparent that the hoarded goods were not actually sold the retailers must aggressively discount in order to sell the hoarded inventory.

How To Stay Safe

It is very important to understand that the Denial of Inventory attack is performed by an automated bot, and not a human and that they will likely repeat themselves. Businesses need to implement systems that will be able to identify actions like these so proper mitigation can be activated when needed.

Limit the absolute time shoppers can hold items in their carts by limiting the amount of times they can add the item to the cart in the first place. This can get tricky since bots are becoming increasingly intelligent and can change IP addresses and similar.

If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables. Contact us today to help you out with your performance and security needs.

Latest Articles

Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

Itay Tal Head of Cloud Services
19th September, 2024
How Yuki Achieved SOC 2 Compliance 6x Faster

Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

Itay Tal Head of Cloud Services
16th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services