Penetration Test vulnerability in serviceNow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We had penetration test in servicenow for potential vulnerability and found to fix below two.
LUCKY13 — Remediation requires disabling the vulnerable ciphers, as noted in the information above.
• Instead of CBE Cipher Suites, use AEAD Cipher Suites such as AES-GCM.
BREACH — Remediation requires changes to the web server's configuration.
• Turning off HTTP compression
• Separating secrets from user input
• Masking secrets (effectively randomizing by XORing with a random secret per request)
• Protecting vulnerable pages with CSRF
• Length hiding (by adding a random number of bytes to the responses)
• Rate-limiting the requests
HOw to fix these
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi @Hafsa1 ,
LUCKY13 & BREACH are 2 importance vulnerability in ServiceNow.
LUCKY13 — Remediation requires disabling the vulnerable ciphers, as noted in the information above.
• Instead of CBE Cipher Suites, use AEAD Cipher Suites such as AES-GCM.
-> Disable the CBE cipher suites in that case. You can't directly do that. Please raise HI Support case for the same.
BREACH — Remediation requires changes to the web server's configuration.
-> Turning off HTTP compression, you can't do that. Raise HI support case for the same.
Don't expose sensitive information.
Please mark helpful & correct answer if it's worthy for you.
