Inappropriate coding practices - Performance

Inappropriate coding practices - Performance

Description

Within the code there are unsafe statements using a lot of machine resources, which affects the performance and response time of the application. Early Java API classes, such as Vector, Hashtable and StringBuffer, were synchronized to make them thread-safe. Unfortunately, synchronization has a major negative impact on performance, even when using these collections from a single thread.

Impact

Make requests to the system that may affect process performance and response times, since the system does not make use of the most optimal components and libraries.

Recommendation

Use the libraries that allow to execute the functions of concatenation and storage in collections in an optimized way (ArrayList and StringBuilder or SyncronizedList).

Threat

Anonymous user with access to the application.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: N
  • Availability: L

Temporal

  • Exploit code maturity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:X
  • Score:
    • Base: 3.1
    • Temporal: 2.8
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: H
  • Attack Requirements: N
  • Privileges required: L
  • User interaction: N
  • Confidentiality (VC): N
  • Integrity (VI): N
  • Availability (VA): L
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit maturity: P

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
  • Score:
    • CVSS-BT: 1.3
  • Severity:
    • CVSS-BT: Low

Compliant code

The application uses efficient methods to prevent consuming extra resources in the machine 

                class Main {
  public static void main(User user) {
    private userPost = new Post(user.newPost);
    user.posts.append(userPost);
  }
}

Non compliant code

The application uses an inefficient method to store user posts that could consume many computer resources 

                class Main {
  public static void main(User user) {
    StringBuffer str = new StringBuffer(user.posts);
    str.append(user.newPost);
  }
}

Requirements

Fixes

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.