In this article, I will cover security aspects which you must consider in mind before going for penetration testing in your ServiceNow instance and scope of penetration testing in ServiceNow. Let us start with
Major security aspects in PEN test from ServiceNow perspective
You should consider following points:-
- Malicious String/Script is passed for string fields via APIs , then it needs to be replaced/removed, which are “<”,”>” , “</script>” tags to stop Malicious script execution on the system.
- In case if any custom field values which are made read-only/access restriction via client scripts/UI policy instead of ACL, it needs to be converted to ACL’s to stop it from updating by unauthorized user.
- In the API’s Get/Post methods do not return client submitted data back , which could lead to client injection attacks & Cross-Site Scripting (XSS) attacks.
- Instance Security Hardenings – Configure all SN Mandatory and recommended properties
- Rate limiting on ServiceNow APIs – In case the attacker tries bombarding the SN APIs
- Disable Local logins – ensure all the logins happen through the SSO
- OAuth 2.0 for authentication of Inbound APIs – Ensure all the API authn happens through OAuth 2.0 and no Basic Auth is used
Scope of PEN test in ServiceNow
Let us now cover some pointers on scope of penetration test in SNOW-
- MID Server Software Vulnerability assessment
- Services Exposed by MID Server
- MID Server Management plan (including authn/ authz)
- API Exposed by ServiceNow
- Web Application testing on SN instance
I have covered these points when i performed PEN test / penetration testing in my ServiceNow instance. Please do give your inputs if I missed something. Do share views by commenting and sharing this posts to all ServiceNow geeks out there, who are interested in this kind of discussion.