Security best practices for ServiceNow

The following table shows the list of best practices for ServiceNow security.


DescriptionSeverityConfiguration Element Type

JavaScript - Avoid use of Function Constructors

High

Access control

Business rules

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

Scripted rest resource

Table transform map

Transform script

UI Action

UI Script

Widget

Widget Angular Provider

JavaScript - Avoid use of WebDB

High

Access control

Business rules

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

UI Action

UI Script

Widget

Widget Angular Provider

JavaScript - Avoid use of debugger statementsHigh

Access control

Business rules

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

Scripted rest resource

UI Action

UI Script

Widget

Widget Angular Provider

JavaScript - Avoid unrestricted targetOrigin on cross-domain messagingHigh

Access control

Business rules

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

Scripted rest resource

UI Action

UI Script

Widget

Widget Angular Provider

Possible use of private dataWarning

Access control

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

Scripted rest resource

Table transform map

Transform script

UI Action

UI Script

Widget

Widget Angular Provider

JavaScript - Avoid making connections on unsafe protocolsWarning

Access control

Business rules

Client script

Catalog client scripts

Email script

Inbound email action

Record producer

Script action

Script include

Scripted rest resource

Table transform map

Transform script

UI Action

UI Script

Widget

Widget Angular Provider

Business Rules using eval functionHighBusiness rules
Possible extra-sensitive PII usage in configuration element - GenderHigh

Business rules

Client script

Catalog client script

Dictionary

Script include

Script action

Scripted rest resource

Possible extra-sensitive PII usage in configuration element - ReligionHigh

Business rules

Client script

Catalog client script

Dictionary

Script include

Script action

Scripted rest resource

Possible PII usage in configuration element - EmailWarning

Business rules

Client script

Catalog client script

Dictionary

Inbound email action

Script action

Script include

Scripted rest resource

Possible PII usage in configuration element - AddressWarning

Business rules

Client script

Catalog client script

Dictionary

Inbound email action

Script action

Script include

Scripted rest resource

Possible PII usage in configuration element - NationalityWarning

Business rules

Client script

Catalog client script

Dictionary

Inbound email action

Script action

Script include

Scripted rest resource

Possible PII usage in configuration element - PassportWarning

Business rules

Client script

Catalog client script

Dictionary

Inbound email action

Script action

Script include

Scripted rest resource

JavaScript - Avoid use of Eval functionHigh

Client script

Catalog client scripts

Record producer

Scripted rest resource

UI Script

Widget

Widget Angular Provider

Javascript - Avoid use of local storage on Client ScriptsHigh

Client script

Catalog client scripts

UI Action

UI Script

Widget

Widget Angular Provider

Possible use of private data - Catalog UI Policy scriptFalseWarningCatalog UI policy
Possible use of private data - Catalog UI Policy scriptTrueWarningCatalog UI policy
JavaScript - Avoid use of Function Constructors - Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript - Avoid use of Function Constructors - Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript - Avoid making connections on unsafe protocols - Catalog UI Policy scriptFalseWarningCatalog UI policy
JavaScript - Avoid making connections on unsafe protocols - Catalog UI Policy scriptTrueWarningCatalog UI policy
JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript - Avoid use of debugger statements - Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript - Avoid use of debugger statements - Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript - Avoid use of WebDB - Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript - Avoid use of WebDB - Catalog UI Policy scriptTrueHighCatalog UI policy
Possible use of private data - UI Policy scriptFalseWarningUI Policy
Possible use of private data - UI Policy scriptTrueWarningUI Policy
JavaScript - Avoid use of Function Constructors - UI Policy scriptFalseHighUI Policy
JavaScript - Avoid use of Function Constructors - UI Policy scriptTrueHighUI Policy
JavaScript - Avoid making connections on unsafe protocols - UI Policy scriptFalseWarningUI Policy
JavaScript - Avoid making connections on unsafe protocols - UI Policy scriptTrueWarningUI Policy
JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - UI Policy scriptFalseHighUI Policy
JavaScript - Avoid unrestricted targetOrigin on cross-domain messaging - UI Policy scriptTrueHighUI Policy
JavaScript - Avoid use of debugger statements - UI Policy scriptFalseHighUI Policy
JavaScript - Avoid use of debugger statements - UI Policy scriptTrueHighUI Policy
JavaScript - Avoid use of WebDB - UI Policy scriptFalseHighUI Policy
JavaScript - Avoid use of WebDB - UI Policy scriptTrueHighUI Policy
JavaScript - Avoid use of WebDB

High

Script include
AngularJS - Denial of Service attack through DOM clobbering on versions under 1.6.3HighUI Script
AngularJS - Prototype Pollution Vulnerability under 1.7.9HighUI Script
AngularJS - XSS vulnerability through the attribute "usemap" from 1.0.0 to 1.2.30HighUI Script
AngularJS - XSS vulnerability through the attribute "usemap" from 1.3.0 to 1.5.0-rc2HighUI Script
AngularJS - XSS vulnerability under 1.8.0 - input HTMLHighUI Script
AngularJS - XSS vulnerability using AngularJS under 1.6.5 in Firefox and Safari - sanitize on inert DocumentsHighUI Script
AngularJS - XSS vulnerability using AngularJS under 1.6.9 with FirefoxHighUI Script
jQuery - Prototype Pollution Vulnerability under 3.4.0HighUI Script
jQuery - XSS vulnerability under 1.6.3, when using location.hashHighUI Script
jQuery - XSS vulnerability under 1.9.0, when using jQuery(strInput)HighUI Script
jQuery - XSS vulnerability under 3.0.0, when making cross-domain calls without the dataType optionHighUI Script
jQuery - XSS vulnerability under 3.5.0, when using htmlPrefilterHighUI Script
jQuery-ui-dialog - XSS vulnerability under 1.10.0, closeText parameterHighUI Script
jQuery-ui-dialog - XSS vulnerability under 1.10.0, title attributeHighUI Script
moment.js - Regular Expression Denial of Service VulnerabilityHighUI Script
XSS vulnerability in Ext JS Action Column getTipHighUI Script
The "Security Manager" System Property is set to "Allow Access"HighSystem property
SOAP Request Strict Security should be enabledHighSystem property
SSLv2/SSLv3 should be disabledHighSystem property
Escape Jelly should be enabledHighSystem property
Escape HTML should be enabledHighSystem property
Enable AJAXEvaluate should be disabledHighSystem property
AJAXGlideRecord ACL Checking should be enabledHighSystem property
"Check UI Action Conditions check before Execution" should be enabledHighSystem property
Escape XML should be enabledHighSystem property
Client Generated Scripts Sandbox should be enabledHighSystem property
HTML Sanitizer property should be enabledHighSystem property
Java Package Collection mode and Collection mode override properties should be disabledHighSystem property
Cookies - HTTP Only should be enabledHighSystem property
CSV Request Authorization should be enabledHighSystem property
Basic Auth SOAP Requests setting should be enabledHighSystem property
Old UI enabled or being usedHighSystem property
Script Request Authorization should be enabledHighSystem property
"Allow Javascript tags in Embedded HTML" property should be disabledHighSystem property
The sn_hr_core.impersonateCheck System Property is falseHighSystem property
Anti-CSRF Token setting should be enabledHighSystem property
High Security Settings plugin disabledHighInactive security plugins
Contextual Security Plugin disabledHighInactive security plugins
GlideRecord API usage in Scripted REST API ResourceHighScripted rest resource
REST API Resource modifying data without Authentication checkHighScripted rest resource
REST API Resource modifying data without Authentication check - No AuthorHighScripted rest resource




Last modified on Jan 18, 2021