What is entity expansion in servicenow context?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2021 09:17 AM
A health scan was run on our instance and one of the security items said to disable entity expansions. Could someone give me a quick explanation please. Or link me to something.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-16-2021 09:43 AM
https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/disable-entity-expansion.html
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2022 12:18 AM
In my opinion, the documentation on this is a little sparse.
XML Entity Expansion is part of the OWASP Top 10 and as such not to be taken lightly.
OWASP provides some more detailed information here.
Normally, XML Files will not be uploaded and processes by arbitrary users, so on the import side, the risk is probably low. Note that SOAP and SAML also use XML, so if you disable this setting, you need to test all of your integrations. (It might, for example, affect the use of the Document Type Definitions, which are External Entities).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2022 11:02 PM
Repost due to Account Merge - sorry.
In my opinion, the documentation on this is a little sparse.
XML Entity Expansion is part of the OWASP Top 10 and as such not to be taken lightly.
OWASP provides some more detailed information here.
Normally, XML Files will not be uploaded and processes by arbitrary users, so on the import side, the risk is probably low. Note that SOAP and SAML also use XML, so if you disable this setting, you need to test all of your integrations. (It might, for example, affect the use of the Document Type Definitions, which are External Entities).
If you want to learn how this can be exploited, I recommend you to go to https://pentesterlab.com/
This Youtube Video shows the idea: https://youtu.be/z2XmaQxTJ0M?t=359
If this answer was helpful, I would appreciate if you marked it as such - thanks!
Best
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2024 07:11 AM
Hi Daniel,
We have received a recommendation from ServiceNow to set this property 'glide.stax.allow_entity_resolution' to false. Currently it is true & we are not sure about the impact of changing this value to False.
5 years ago ServiceNow sent a recommendation to set this Property value to TRUE (for Helsiniki version), now its again sending a recommendation to set this to False. I'm pretty much confused here.
From your last update, I see we need to test the SOAP & SAML integration as well if we made it to False.
Since its been long time after your update, is there any update on the impact that we need to look for.
Please advise.
Thanks
Chitra
