Inappropriate coding practices - Performance
Description
Within the code there are unsafe statements using a lot of machine resources, which affects the performance and response time of the application. Early Java API classes, such as Vector, Hashtable and StringBuffer, were synchronized to make them thread-safe. Unfortunately, synchronization has a major negative impact on performance, even when using these collections from a single thread.
Impact
Make requests to the system that may affect process performance and response times, since the system does not make use of the most optimal components and libraries.
Recommendation
Use the libraries that allow to execute the functions of concatenation and storage in collections in an optimized way (ArrayList and StringBuilder or SyncronizedList).
Threat
Anonymous user with access to the application.
Expected Remediation Time
⌚ 30 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: N
- Availability: L
Temporal
- Exploit code maturity: P
- Remediation level: O
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:X
- Score:
- Base: 3.1
- Temporal: 2.8
- Severity:
- Base: Low
- Temporal: Low
Score 4.0
Default score using CVSS 4.0 . It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): N
- Integrity (VI): N
- Availability (VA): L
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 1.3
- Severity:
- CVSS-BT: Low
Compliant code
The application uses efficient methods to prevent consuming extra resources in the machine
class Main {
public static void main(User user) {
private userPost = new Post(user.newPost);
user.posts.append(userPost);
}
}
Non compliant code
The application uses an inefficient method to store user posts that could consume many computer resources
class Main {
public static void main(User user) {
StringBuffer str = new StringBuffer(user.posts);
str.append(user.newPost);
}
}
Requirements
Fixes
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.