Shopping Cart

No products in the cart.

Quality Clouds Community
Quality Clouds Community
View Categories

Security Best Practices For ServiceNow

The following table shows the list of best practices for ServiceNow security.

DescriptionSeverityConfiguration Element Type
JavaScript – Avoid use of Function ConstructorsHighAccess control
Business rules
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
Scripted rest resource
Table transform map
Transform script
UI Action
UI Script
Widget
Widget Angular Provider
JavaScript – Avoid use of WebDBHighAccess control
Business rules
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
UI Action
UI Script
Widget
Widget Angular Provider
JavaScript – Avoid use of debugger statementsHighAccess control
Business rules
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
Scripted rest resource
UI Action
UI Script
Widget
Widget Angular Provider
JavaScript – Avoid unrestricted targetOrigin on cross-domain messagingHighAccess control
Business rules
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
Scripted rest resource
UI Action
UI Script
Widget
Widget Angular Provider
Possible use of private dataWarningAccess control
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
Scripted rest resource
Table transform map
Transform script
UI Action
UI Script
Widget
Widget Angular Provider
JavaScript – Avoid making connections on unsafe protocolsWarningAccess control
Business rules
Client script
Catalog client scripts
Email script
Inbound email action
Record producer
Script action
Script include
Scripted rest resource
Table transform map
Transform script
UI Action
UI Script
Widget
Widget Angular Provider
Business Rules using eval functionHighBusiness rules
Possible extra-sensitive PII usage in configuration element – GenderHighBusiness rules
Client script
Catalog client script
Dictionary
Script include
Script action
Scripted rest resource
Possible extra-sensitive PII usage in configuration element – ReligionHighBusiness rules
Client script
Catalog client script
Dictionary
Script include
Script action
Scripted rest resource
Possible PII usage in configuration element – EmailWarningBusiness rules
Client script
Catalog client script
Dictionary
Inbound email action
Script action
Script include
Scripted rest resource
Possible PII usage in configuration element – AddressWarningBusiness rules
Client script
Catalog client script
Dictionary
Inbound email action
Script action
Script include
Scripted rest resource
Possible PII usage in configuration element – NationalityWarningBusiness rules
Client script
Catalog client script
Dictionary
Inbound email action
Script action
Script include
Scripted rest resource
Possible PII usage in configuration element – PassportWarningBusiness rules
Client script
Catalog client script
Dictionary
Inbound email action
Script action
Script include
Scripted rest resource
JavaScript – Avoid use of Eval functionHighClient script
Catalog client scripts
Record producer
Scripted rest resource
UI Script
Widget
Widget Angular Provider
Javascript – Avoid use of local storage on Client ScriptsHighClient script
Catalog client scripts
UI Action
UI Script
Widget
Widget Angular Provider
Possible use of private data – Catalog UI Policy scriptFalseWarningCatalog UI policy
Possible use of private data – Catalog UI Policy scriptTrueWarningCatalog UI policy
JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptFalseWarningCatalog UI policy
JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptTrueWarningCatalog UI policy
JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptTrueHighCatalog UI policy
JavaScript – Avoid use of WebDB – Catalog UI Policy scriptFalseHighCatalog UI policy
JavaScript – Avoid use of WebDB – Catalog UI Policy scriptTrueHighCatalog UI policy
Possible use of private data – UI Policy scriptFalseWarningUI Policy
Possible use of private data – UI Policy scriptTrueWarningUI Policy
JavaScript – Avoid use of Function Constructors – UI Policy scriptFalseHighUI Policy
JavaScript – Avoid use of Function Constructors – UI Policy scriptTrueHighUI Policy
JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptFalseWarningUI Policy
JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptTrueWarningUI Policy
JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptFalseHighUI Policy
JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptTrueHighUI Policy
JavaScript – Avoid use of debugger statements – UI Policy scriptFalseHighUI Policy
JavaScript – Avoid use of debugger statements – UI Policy scriptTrueHighUI Policy
JavaScript – Avoid use of WebDB – UI Policy scriptFalseHighUI Policy
JavaScript – Avoid use of WebDB – UI Policy scriptTrueHighUI Policy
JavaScript – Avoid use of WebDBHighScript include
AngularJS – Denial of Service attack through DOM clobbering on versions under 1.6.3HighUI Script
AngularJS – Prototype Pollution Vulnerability under 1.7.9HighUI Script
AngularJS – XSS vulnerability through the attribute “usemap” from 1.0.0 to 1.2.30HighUI Script
AngularJS – XSS vulnerability through the attribute “usemap” from 1.3.0 to 1.5.0-rc2HighUI Script
AngularJS – XSS vulnerability under 1.8.0 – input HTMLHighUI Script
AngularJS – XSS vulnerability using AngularJS under 1.6.5 in Firefox and Safari – sanitize on inert DocumentsHighUI Script
AngularJS – XSS vulnerability using AngularJS under 1.6.9 with FirefoxHighUI Script
jQuery – Prototype Pollution Vulnerability under 3.4.0HighUI Script
jQuery – XSS vulnerability under 1.6.3, when using location.hashHighUI Script
jQuery – XSS vulnerability under 1.9.0, when using jQuery(strInput)HighUI Script
jQuery – XSS vulnerability under 3.0.0, when making cross-domain calls without the dataType optionHighUI Script
jQuery – XSS vulnerability under 3.5.0, when using htmlPrefilterHighUI Script
jQuery-ui-dialog – XSS vulnerability under 1.10.0, closeText parameterHighUI Script
jQuery-ui-dialog – XSS vulnerability under 1.10.0, title attributeHighUI Script
moment.js – Regular Expression Denial of Service VulnerabilityHighUI Script
XSS vulnerability in Ext JS Action Column getTipHighUI Script
The “Security Manager” System Property is set to “Allow Access”HighSystem property
SOAP Request Strict Security should be enabledHighSystem property
SSLv2/SSLv3 should be disabledHighSystem property
Escape Jelly should be enabledHighSystem property
Escape HTML should be enabledHighSystem property
Enable AJAXEvaluate should be disabledHighSystem property
AJAXGlideRecord ACL Checking should be enabledHighSystem property
“Check UI Action Conditions check before Execution” should be enabledHighSystem property
Escape XML should be enabledHighSystem property
Client Generated Scripts Sandbox should be enabledHighSystem property
HTML Sanitizer property should be enabledHighSystem property
Java Package Collection mode and Collection mode override properties should be disabledHighSystem property
Cookies – HTTP Only should be enabledHighSystem property
CSV Request Authorization should be enabledHighSystem property
Basic Auth SOAP Requests setting should be enabledHighSystem property
Old UI enabled or being usedHighSystem property
Script Request Authorization should be enabledHighSystem property
“Allow Javascript tags in Embedded HTML” property should be disabledHighSystem property
The sn_hr_core.impersonateCheck System Property is falseHighSystem property
Anti-CSRF Token setting should be enabledHighSystem property
High Security Settings plugin disabledHighInactive security plugins
Contextual Security Plugin disabledHighInactive security plugins
GlideRecord API usage in Scripted REST API ResourceHighScripted rest resource
REST API Resource modifying data without Authentication checkHighScripted rest resource
REST API Resource modifying data without Authentication check – No AuthorHighScripted rest resource
What are your Feelings

Powered by BetterDocs

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups

Please allow a few minutes for this process to complete.

Report

You have already reported this .