.svg)
OWASP Deep Dive Series — Part 3 of 10
OAT-005 Scalping: The Bot That Shops Faster Than Your Customers Can
When a limited-edition sneaker drops, a PlayStation console restocks, or presale tickets for a stadium show go live, the race to the checkout is over in seconds. Most of the time, your customers lost before they even opened a browser tab.
That's OAT-005 Scalping. It's not a payment fraud problem or a login security problem. It's a business logic problem that most application security tools aren't designed to address.
OWASP defines scalping as obtaining limited-availability or preferred goods and services through automated means that a normal user cannot replicate manually. The bot doesn't need to steal credentials or exploit a vulnerability. It simply moves faster, at a scale no human can match, exploiting the gap between what your application allows and what your business intends.
The business impact is direct and visible. Customers who can't complete legitimate purchases don't just complain. They churn. Scalped inventory ends up on secondary markets at three to five times retail price, training your customers to never trust that they'll get fair access to your platform. In regulated verticals like ticketing, this is a legal exposure. In ecommerce, it's a brand reputation problem that marketing spend can't fix. In healthcare or government contexts, where appointment slot bots emerged during vaccine rollouts, it creates genuine access equity harms.
What makes scalping particularly damaging is that it looks like success. Traffic spikes. Checkout conversion fires. Revenue lands. Your monitoring dashboards go green while a cohort of automated buyers cleans out your inventory and your real customers get waitlist emails.
How the attack moves through the stack
Scalping bots don't storm the gates. They walk in through the front door, politely, and take everything.
The anatomy of a typical scalping operation starts well before the add-to-cart event. Bots are deployed in monitoring mode, polling product pages and inventory APIs, sometimes at intervals of a few seconds, watching for a status change from unavailable to available. This reconnaissance phase looks nearly identical to organic browsing traffic. The requests hit standard product endpoints, carry reasonable headers, and arrive at low enough frequency that rate limiting doesn't trigger.
The moment inventory becomes available, the attack shifts from monitoring to acquisition. Bots move through the purchase flow. Add to cart, apply promo codes, populate shipping fields, submit payment. All in a fraction of a second. A well-built scalping bot can complete checkout end-to-end faster than a human can read a CAPTCHA. Because each bot instance is completing a genuine transaction, not flooding a login endpoint, the behavior looks like an unusually fast customer, not an attack.
At the network layer, scalping bots have learned to blend. Modern deployments route through residential proxy networks, cycling IP addresses tied to real ISPs across multiple geographies. User-agent strings are rotated. TLS fingerprints are crafted to mimic current browser releases. Some operations use real headless browsers with full JavaScript execution, rendering the same client-side signals your WAF or CDN bot detection uses for classification.
.png)
By the time the requests reach your application, the fingerprint looks human enough to pass most edge checks. What the traffic doesn't look like is a single user naturally browsing your site. That distinction requires application-layer context. Scalping is behavioral. It's about what the session does, not what it looks like at the packet level.
What happens when the alert fires
The first indication of a scalping attack usually isn't a security alert. It's a customer service queue.
Your inventory drops to zero in under two minutes. Social media fills with complaints from customers who clicked "buy" and immediately received an out-of-stock message. Your ecommerce team starts asking questions. Someone checks the transaction logs. Eventually, the security team gets looped in.
By then, the damage is done. The bots completed legitimate-looking checkout flows. Orders were placed with real payment methods, often gift cards or prepaid cards that are difficult to reverse, and the goods are either already reserved in warehouse or en route. Chargebacks and fraud reviews arrive days later, after the scalpers have already listed the inventory on secondary markets.
If a WAF does generate an alert, it's typically a rate limit hit on the checkout endpoint, triggered after the attack has already succeeded. The alert fires late, surfaces an IP address or a thin slice of request metadata, and lands in a queue where it competes with dozens of other medium-severity items. The analyst on call has to decide: is this a real customer who got flagged, or a bot? The signal the WAF provides isn't sufficient to answer that question with confidence.
.png)
This is the enforcement gap in full effect. Detection that happens after the fact isn't detection. It's a log. And a WAF rule that blocks a checkout endpoint after inventory is exhausted isn't enforcement. It's cleanup.
The deeper problem is structural. WAFs are positioned at the edge, evaluating requests in isolation against pattern signatures and rate thresholds. Scalping doesn't trip those wires because the requests are individually valid. What makes a scalping session an attack is the combination of speed, purchase intent, sequence compression, and behavioral patterns across the session. This context only exists inside the application, not at the perimeter.
When security teams do attempt to tune WAF rules for scalping, they run into a familiar wall: the blast radius of enforcement is too unpredictable. Block too aggressively on checkout velocity and you'll stop legitimate customers during a flash sale. Allow too much and the bots win. Without the ability to observe what a rule would block against real traffic before applying it, most teams don't enforce at all. They document the attack, write a post-incident report, and add scalping to the list of threats they're "monitoring."
What we see when detection and enforcement share a request path
The WAF's scalping problem isn't detection sensitivity. It's architectural. A tool positioned outside the application can only see the surface of a request. Scalping lives in the behavior of a session.
Impart operates inside the request path, which means detection has access to the full application context that edge tools can't see: the sequence of API calls within a session, the timing between add-to-cart and checkout submission, the relationship between account age and purchase velocity, whether a session hit the availability polling endpoint seventeen times in the last sixty seconds before immediately completing a purchase. These signals exist at the application layer. They're only visible from inside it.
Behavioral detection for scalping doesn't work off a signature. It works off intent. A bot monitoring inventory and snapping up units the moment they go live exhibits a pattern. Compressed session timelines. No browse-to-compare behavior. Purchase flows that skip the interactions real customers make like pausing to read product descriptions, adjusting quantities, applying and removing discount codes. Impart correlates these signals across sessions and across time, building the profile of what a scalping operation looks like against your specific application, your specific inventory patterns, and your specific user behavior baseline.
.png)
But detection accuracy, even good detection accuracy, isn't enough on its own. The industry has been stuck in monitor mode for years because security teams can't enforce what they can't validate. Blocking checkout traffic during a high-demand product drop without knowing your false positive rate is a risk no team should accept on intuition.
Shadow mode changes that calculus. Before a single request is enforced, Impart runs detections against live production traffic with no enforcement actions taken. Every session that would be blocked is logged with the full evidence chain: the sequence of requests that triggered the detection, the behavioral signals that contributed to the decision, the session attributes that distinguished it from legitimate traffic. Teams review that evidence against their own traffic, their own edge cases, their own understanding of what a legitimate high-velocity customer looks like. When enforcement turns on, it's not a guess. It's a decision backed by production data.
The result is that enforcement actually happens. Scalping bots that pass every edge check get stopped at the checkout endpoint. Legitimate customers (even the ones who have fast fingers!) continue through normally because the behavioral signal distinguishes speed from automation. The inventory stays available to the people it was meant for.
That's not a WAF rule. That's runtime enforcement with application-layer intelligence.
See what you would block before you block it.
Impart closes the enforcement gap for credential stuffing and all 21 OWASP automated threats. Shadow mode against live traffic. Full decision evidence. Enforcement when you're ready.
OWASP Deep Dive Series
This post is part of a 10-part series examining how OWASP automated threats expose the gap between detection and enforcement, and what changes when both move into the application's request path.