In response to the recently published "Simple-List-Widget Attack", I have created a Scoped Application that allows you to analyse any (still) existing problematic Widgets and ACLs.
In addition you can systematically analyse the data extraction attempts.
Disclaimer:
This application adheres to data protection regulations and processes all data locally. The app exclusively uses data from the instance on which it is installed and does not disclose any data from that instance.
Note: 4 custom tables are used by this application. After the incident has been resolved and closed, please uninstall the application (see instructions in the next post).
The Application can be installed via the following repository:
https://github.com/kr4uzi/ServiceNow-Data-Leak-Analyser
Note: Install Instructions are in the first reply to this post.
Planned Features:
- Full Leak Analysis (Which records have been actually transmitted to an attacker)(Implemented in Version 1.1.0)
- Management Summary ("C-Level Summary of this Incident")
Features:
1.) Analyse potentially leaking Widget
- Create a Task for each detected, potentially leaking (public) Widget
- Provide remediation instructions in the Dashboard and the Task to close the security gap
- Recommended: Analysis should be done repeatedly via "Re-Analyse Widgets"
2.) Analyse ACLs
- Show ACLs prone for leaking data
- Lists ServiceNow Best Practices and instruction to harden the ACL configuration
3.) Analyse Extraction Attempts
- Analyse all extraction attempts and show informations about the attack
- Analyse which records have been leaked
- Creates a task for each attempt to document the your analysis
Show all the information required to analyse the Extraction Attempt in the Task itself:
Please see the very first response to this Post for Installation & Update Instructions.
Install Instructions
1.) Create a GitHub Account
3.) Fork the Repository
From the Forked (IMPORTANT: Not *my* repo, but yours!), copy the GIT URL:
2.) Copy the GIT Repo URL in a local document on your computer, you also need to save one more thing before you can install the app on a ServiceNow instance.
The document will be used to store the following things:
- Forked Repository GIT URL (should be still in your clipboard)
- GitHub Access Token - this is required to install the application on the target instance and will be created in the next step
4.) Create a new GitHub Access Token (Open: https://github.com/settings/tokens/new)
Fill in the Data as shown in the Screenshot:
Scroll down to the bottom of the page an hit "Generate token". The page will reload, and you will see your personal access token, save this token in the document you created previously.
4.) Go to the Instance that needs to be analysed and create a new Basic Authentication Credential:
Filter navigator: Connection & Credentials > Credentials. Click "New" and select "Basic Auth Credentials"
Name: GitHub <Your Name Here>
User name: <Your primary GitHub mail>
*If in doubt, you can check here: https://github.com/settings/emails
Password: <The GitHub Access Token you just created>
5.) Open the Studio (Filter navigator: "System Applications > Studio")
Select "Import From Source Control":
Fill out the PopUp with
Network Protocol: https (default)
URL: Your Repository's GitHub URL (you have stored this in the document)
Credential: Select the record you have created in the previous step
Branch: main
* This is very important: You need to override the default-value with main
Then click "Import"
Afterwards the Dashboard is either available via "Self Service > Dashboards" (search for "Data Leak Analyzer") or via "Data Leak Analyzer > Dashboard".
Update Instructions
1.) Update your Fork: Open your Data Leak Analyzer Repository and click on "Sync fork > Update branch".
Note: "Sync fork" is actually a button.
Note: "Update branch" is disabled when there is no update available.
2.) On every instance the application is installed, you need to go to the Studio again and open the "Data Leak Analyzer" Application.
3.) Select "Source Control > Apply Remote Changes"
