logo

Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses

Incomplete Base
Structure: Simple
Description

This weakness occurs when a client-side function or method makes an excessive number of individual data requests through a non-SQL data manager, instead of using more efficient bulk operations or database-native capabilities.

Extended Description

This pattern forces the application to handle data piecemeal, creating significant performance overhead. Each request adds network latency and processing time, slowing down the entire operation. While what constitutes "excessive" can vary by context, a common guideline (like CISQ's) suggests limiting functions to a maximum of two data access calls to maintain responsiveness. If an attacker can trigger this inefficient code path, the performance degradation can be exploited to cause denial-of-service (DoS) by exhausting server resources. To fix this, developers should consolidate data requests, implement server-side filtering or aggregation, and leverage the data layer's built-in efficient querying features instead of manual, iterative fetching.
Common Consequences 1
Scope: Other

Impact: Reduce Performance
References 1
Automated Source Code Performance Efficiency Measure (ASCPEM)
Object Management Group (OMG)
01-2016
https://www.omg.org/spec/ASCPEM/(2023-04-07)
ID: REF-959
Applicable Platforms
Languages:
SQL : Often
Technologies:
Database Server : Often
Related Weaknesses
ChildOf: Asymmetric Resource Consumption (Amplification) (CWE-405)
Taxonomy Mapping
  • OMG ASCPEM