5 ways to check your #ServiceNow instance for DANGEROUS CODE in less than 5 minutes

?Your #ServiceNow instance DEFINITELY has DANGEROUS CODE executing in it, RIGHT NOW, causing performance issues, unexpected behavior, and hiding records from people who should be able to see them (including you)!??

This isn't a fear-mongering tactic; it's a fact we all overlook - until it's too late.

In this article, we'll unveil the top five (+1) quick and efficient methods to uncover this concealed, risky, and performance-degrading code in your instance. But that's not all - we'll also shed light on other lurking risks that could be silently sabotaging your instance's #performance or #security - even as you read this! (These issues even apply in many out-of-box scripts and records!)

?This LinkedIn article contains the main segment of an article from snprotips.com. To see the full article, including 3 more bonus tips, click here!?

1?? Query Business Rules that could be hiding records from you, without your knowledge

As I mention in this article, your Query Business Rules could be filtering records without your knowledge!

Find any dangerous QBRs by navigating to the sys_script table, filtering that table using the below query, and looking through the returned BRs for any that filter records using "is not", "not in", "!=", etc. queries *without* an "...or is blank" condition.

scriptLIKENOT IN^ORscriptLIKENOTIN^ORscriptLIKEISNOT^ORscriptLIKE, '!='^ORscriptLIKE, "!="^action_query=true

2?? ACL Scripts that execute when they shouldn't!

As I mention in another article, un-checking the "Advanced" checkbox on an ACL rule HIDES the Script field, but it DOES NOT CLEAR IT, and does not prevent the script from running! This can have serious impacts on performance, stability, and can cause unexpected behavior and make these issues incredibly difficult to troubleshoot. I GUARANTEE that you've got at least a couple DOZEN ACLs in your instance RIGHT NOW, with this issue!

The free tool I mention in the article linked above can identify ACLs with this issue and prevent it from occurring in the future, but you can identify ACLs already hiding in your ServiceNow environment right now, by navigating to the sys_security_acl table and using the following query:

advanced=false^scriptISNOTEMPTY

Note: The same thing applies to Business Rules. See the article linked above for more details. It does not, however, apply to UI Policy Scripts. If a UIP's "Run Scripts" field is set to false, then the script will not run.

3?? Tracked Configuration Files exposing your passwords, API tokens, and secret keys!

The "Tracked Configuration files" table in ServiceNow contains copies of the contents of discovered servers' configuration files. While it's not "best-practice", it is very common for .config files to contain API keys, access tokens, or passwords in plain text. When ServiceNow gobbles up this information, it is stored in plain text in a table called cmdb_ci_config_file_tracked.

Depending on your instance version, the content of these files may even be visible to everyone with the itil role! (Although on more recent versions of ServiceNow, it requires a separate role: tracked_file_reader; but the data is still not encrypted, and thus is still something to be wary of).

You can find most of these dangerous tracked config files by navigating to the cmdb_ci_config_file_tracked table, and using a query similar to the following:

contentLIKEtoken^ORcontentLIKEkey^ORcontentLIKEpwd^ORcontentLIKEpassword^ORcontentLIKEsecret^ORcontentLIKEauth

Note: When filtering the table on the "content" field, you'll notice that the "...contains..." query operator is not available in the filter builder. This is annoying, but we can work around it by constructing our own encoded query and using the LIKE operator, then manipulating the URL to use our custom encoded query.

Do you know of any major risks in ServiceNow that people should be made aware of? Let us know in the comments below!

If you see someone with some helpful ideas in the comments, be sure to drop them a like!

If you like my content, be sure to subscribe to the SN Pro Tips newsletter on snprotips.com, and subscribe on LinkedIn!

?This LinkedIn article contains the first 3 tips from of an article on SN Pro Tips. To see the full article, including 3 more bonus tips, click here!?

#ServiceNow #ServiceNowDev #ServiceNowTips #ITSM #ITOM #ITIL #DevOps #BestPractices #DigitalTransformation #ITServiceManagement