Issue with Batch API in ServiceNow

Cris-aianV
Tera Contributor

‎03-17-2025 07:23 PM

Hello, I'm experiencing an issue with the Batch API in ServiceNow. My code does not update the short description and description fields correctly. While the caller_id and impact fields are updated accurately, the urgency field shows a value of "3 - Low" instead of "1 - High." The response body returns a 200 status with no errors. Can anyone help me resolve this?

My code:

import base64
import json
import requests

headers = [
    {
        "name": "Content-Type",
        "value": "application/json"
    },
    {
        "name": "Accept",
        "value": "application/json"
    },
    {
        "name": "x-sn-apikey",
        "value": "<API KEY>"
    }
]

body = {
    "caller_id": "62826bf03710200044e0bfc8bcbe5df1",
    'short_description': 'Systemic Cross Site Request Forgery',
    'description': '<div>\n<p>In a Cross-Site Request Forgery (CSRF) attack, attackers create web pages on the Internet that cause browsers to make GET or POST requests to other websites. When a user who is logged in to the application visits the attacker’s website, the user’s browser issues the request and includes the user’s session or authentication cookie.  If the application does not have a mechanism to confirm that the request originated from within the application itself, the attacker-chosen actions will be taken. <a class="text-blue-600 hover:text-blue-800 visited:text-purple-600" href="#citation:1:JNYb"><sup>[1] </sup></a><a class="text-blue-600 hover:text-blue-800 visited:text-purple-600" href="#citation:2:XwFa"><sup>[2] </sup></a><a class="text-blue-600 hover:text-blue-800 visited:text-purple-600" href="#citation:3:dZCj"><sup>[3] </sup></a></p>\n<p>The application does not contain CSRF countermeasures.</p>\n<h4 class="mt-2">Citations</h4><ul style="list-style-type: none"><li id="citation:1:JNYb"><sup class="text-blue-600 hover:text-blue-800 visited:text-purple-600">[1] </sup>Only <a class="underline text-blue-600 hover:text-blue-800 visited:text-purple-600" href="http://www.blug.linux.no/rfc1149/" rel="noopener noreferrer" target="_blank">one implementation</a></li><li id="citation:2:XwFa"><sup class="text-blue-600 hover:text-blue-800 visited:text-purple-600">[2] </sup>Only <a class="underline text-blue-600 hover:text-blue-800 visited:text-purple-600" href="http://www.blug.linux.no/rfc1149/" rel="noopener noreferrer" target="_blank">one implementation</a></li><li id="citation:3:dZCj"><sup class="text-blue-600 hover:text-blue-800 visited:text-purple-600">[3] </sup>Only <a class="underline text-blue-600 hover:text-blue-800 visited:text-purple-600" href="http://www.blug.linux.no/rfc1149/" rel="noopener noreferrer" target="_blank">one implementation</a></li></ul></div> <h4>Impact</h4><div>\n<p>An attacker may cause a targeted user to perform actions chosen by the attacker.</p>\n</div> <h4>Recommendation</h4><div>\n<p>Forms or links that take actions on behalf of users should be explicitly authenticated and tied to user intent. This can be done by embedding a random token in every form (or state-changing link, if applicable) that is presented to the end user.   When a request is received, the application must verify the token matches the expected value before taking any actions.  Because the attacker cannot determine the token without actually viewing the page containing the form, they cannot create web pages which blindly submit requests.</p>\n<p><a class="underline text-blue-600 hover:text-blue-800 visited:text-purple-600" href="/section:830" rel="noopener noreferrer" target="_blank">Cross Site Request Forgery</a> details full recommendations for remediating CSRF.</p>\n</div> <h4>Finding ID</h4>NCC-2021-424 <h4>Component</h4>AcmeTron web application <h4>State</h4>Reported',
    'state': 2,
    'impact': 1, 
    'urgency': 1
}

body_json = json.dumps(body)
encoded_body = base64.b64encode(body_json.encode('utf-8')).decode('utf-8')

payload = {
    "batch_request_id": "12121",
    "rest_requests": [
        {
            "id": "1100",
            "exclude_response_headers": True,
            "headers": headers,
            "url": f"api/now/table/incident",
            "method": "POST",
            "body": encoded_body
        }

    ]
}

response = requests.post(
    url='https://dev230409.service-now.com/api/now/v1/batch',
    headers={
        "Content-Type":"application/json",
        "Accept":"application/json",
        "x-sn-apikey" :"<API KEY>"
    },
    json=payload,
    timeout=30
)

if response.status_code != 200: 
    print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.json())
    exit()

# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)

 

0 Helpfuls
  • 265 Views
0 REPLIES 0