FROM AGPEDIA — AGENCY THROUGH KNOWLEDGE

Denial of Inventory

Denial of inventory is a type of automated abuse targeting e-commerce platforms and other online booking systems, in which malicious actors use bots to deplete available stock or reservations without ever completing a purchase. By holding items in shopping carts or reserving slots repeatedly, attackers prevent legitimate customers from buying, causing lost sales, brand damage, and distorted inventory data for the targeted business ^[1]. The attack is related to — but distinct from — scalping, where goods are actually purchased and resold at a markup; in a denial-of-inventory attack, the attacker's goal is disruption rather than acquisition ^[1].

While most prominent in retail e-commerce, the same technique is applied against ticketing platforms, travel booking systems, and healthcare appointment services ^[2]. Regulatory responses have so far been limited to the ticketing sector, where the United States enacted the Better Online Ticket Sales (BOTS) Act in 2016 ^[3]; no equivalent legislation covers general retail.

Mechanism

Most e-commerce and booking systems temporarily reserve stock or availability when a user adds an item to their cart or initiates a reservation, holding it for a set window — typically a few minutes to half an hour — before releasing it back to the pool if no transaction is completed. Denial-of-inventory attacks exploit this reservation window by deploying automated bots that continuously add items to carts and refresh the hold before it expires, keeping stock perpetually locked away from ordinary shoppers ^[1].

Because no payment is required to trigger a reservation, the attacker incurs no financial cost. A preliminary reconnaissance bot is often deployed first to identify product release times, stock levels, and the specific timing of cart expiry, before the hoarding bot is launched ^[2]. The hoarding bot may operate across many IP addresses, rotating proxies, and fake accounts to avoid detection and circumvent rate limits ^[2].

The same logic applies beyond physical goods. OWASP notes that inventory exhaustion also occurs in the assignment of non-goods such as service allocations, queue positions, and appointment slots ^[1] — a pattern observed, for instance, during high-demand vaccine rollouts.

Targeted sectors

Any platform that manages scarce, time-sensitive allocations is a potential target ^[2]:

E-commerce is the most commonly affected sector, particularly during limited-edition product launches such as sneakers, gaming consoles, and collectibles, where demand far exceeds supply.
Ticketing is heavily affected, with bots documented as accounting for a substantial share of traffic during high-demand on-sale events.
Travel and hospitality platforms — airlines, hotels, and restaurant reservation systems — are vulnerable to bots holding seats or rooms without payment.
Healthcare systems offering online appointment booking, particularly during periods of high demand such as vaccine rollouts, have also been targeted.

Motivations

Attackers pursue denial of inventory for several reasons ^[2]:

Competitive disruption: A competitor's bot may lock up stock to damage a rival's reputation or redirect customers to their own platform.
Scalping preparation: Attackers may lock out competitors before purchasing stock themselves through a separate channel to resell at inflated prices. This blurs the line between denial of inventory and scalping.
Inventory intelligence: Repeatedly adding limited items to a cart can reveal a competitor's stock levels, since the system will refuse the hold once inventory is exhausted.
Reputational damage: Making a product appear permanently out of stock, especially at launch, can harm consumer trust in a brand.

Impact

The consequences fall on retailers, consumers, and the broader market ^[4]:

Retailers face direct revenue loss when legitimate customers cannot complete purchases, as well as long-term brand damage when launches appear to sell out instantly despite low genuine demand. Bot traffic — bad bots accounted for around 17.7% of all e-commerce traffic in Imperva's 2019 study — also inflates infrastructure costs and corrupts analytics, undermining pricing and marketing decisions.
Consumers are unable to buy at retail price and are often forced to turn to secondary markets at significant markups.
Inventory and forecasting systems are distorted by artificial demand signals, leading to poor restocking and procurement decisions.

Countermeasures

Retailers and platform operators employ several defensive approaches, though no single measure is fully effective in isolation ^[1]^[2]:

Short cart reservation timeouts reduce the window during which stock can be held without payment, forcing bots to refresh more frequently and increasing the chance of detection.
Bot detection and CAPTCHA systems attempt to identify and block automated clients before they can place or refresh reservations.
Rate limiting restricts the number of cart additions or reservation requests from a single IP address or account within a given timeframe. Advanced bots evade this by rotating across large numbers of IP addresses.
Virtual queue systems replace instant cart access with a waiting room for high-demand launches, reducing the advantage of speed that bots rely on.
Payment-first flows require a payment commitment before stock is reserved, raising the cost and risk for attackers.
Account verification requirements, such as confirmed identity or purchase history, make it harder to operate large numbers of throwaway accounts.

Sophisticated bot operators adapt continuously to these measures, using residential proxies, browser fingerprint spoofing, and machine learning to mimic human behaviour ^[2].

Legal and regulatory context

Legislation addressing bot-driven inventory abuse has so far been narrowly scoped to the ticketing sector. In the United States, the Better Online Ticket Sales (BOTS) Act of 2016 prohibits the circumvention of access controls on online ticket platforms and the resale of tickets obtained through such circumvention, with enforcement delegated to the Federal Trade Commission ^[3]. No equivalent federal legislation covers denial-of-inventory attacks in general retail e-commerce.

In most jurisdictions, denial-of-inventory attacks sit in a legal grey area. Because no purchase is completed and no system is technically breached in the conventional sense, the activity does not straightforwardly constitute a crime under existing computer fraud statutes; it may, however, violate a platform's terms of service, potentially giving rise to civil claims.

^a ^b ^c ^d ^e OAT-021 Denial of Inventory. OWASP Foundation. https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-021_Denial_of_Inventory.
^a ^b ^c ^d ^e ^f ^g (2022-09-23). Inventory Bots Explained: How to Stop Denial of Inventory Attack? GeeTest. https://www.geetest.com/en/article/inventory-bots-and-denial-of-inventory-attacks.
^a ^b (2016-12-14). Better Online Ticket Sales Act of 2016 (BOTS Act). https://www.congress.gov/bill/114th-congress/senate-bill/3183.
^ (2019). Threat Research: How Bots Affect E-commerce. Imperva. https://softprom.com/sites/default/files/materials/Imperva-Threat-Research-How-bots-affect-ecommerce-FINAL.pdf.

Available in

en - English