logo

NJP

← Back to News

5 Ways to Check your ServiceNow Instance for DANGEROUS CODE in Less Than 5 minutes

ServiceNow Developer Pro-Tips · May 11, 2023 · article
Tim Woodruff

Your ServiceNow instance **DEFINITELY** has DANGEROUS CODE executing in it _RIGHT NOW_, causing performance issues, unexpected behavior, and hiding records from people who should be able to see them (including you)!

[ ](https://handbook.snc.guru)

This isn't a fear-mongering tactic; it's a fact we all overlook - until it's too late.

In this article, we'll unveil the top five (+1) quick and efficient methods to uncover this concealed, risky, and performance-degrading code in your instance. But that's not all - we'll also shed light on other lurking risks that could be silently sabotaging your instance's performance or security - even as you read this! (_These issues even apply in many_ **_out-of-box_** _scripts and records!_)

**Update 8/3/25:**
I’ve added another bonus tool that **automatically scans your instance** for dangerously poor-performance queries wherein the code appears to be expecting only a single record, but fails to tell the database that, and thus has at minimum **double** the average performance impact it ought to.
You can run the code from [**this gist**](https://gist.github.com/thisnameissoclever/91064abea75a8dcfdf6669c194a4d888) in a background script in your instance to see how bad things are in your instance, but be warned - the most egregious examples of violations of this sort may just be in out-of-box code…

---

## 1️⃣ Query Business Rules hiding records without your knowledge!

As I mention in [this article](https://qbr.snc.guru/), your Query Business Rules could be filtering records without your knowledge!
Find any dangerous QBRs by navigating to the **_sys\_script_** table, filtering that table using the below query, and looking through the returned BRs for any that filter records using "is not", "not in", "!=", etc. queries \*without\* an "...or is blank" condition.

> _scriptLIKENOT IN^ORscriptLIKENOTIN^ORscriptLIKEISNOT^ORscriptLIKE, '!='^ORscriptLIKE, "!="^action\_query=true_

---

## 2️⃣ ACL Scripts that execute when they shouldn't!

As I mention in [another article](https://advanced.snc.guru/), un-checking the "Advanced" checkbox on an ACL rule HIDES the Script field, but it **DOES NOT CLEAR IT**, and **does not prevent the script from running**! This can have serious impacts on performance, stability, and can cause unexpected behavior and make these issues incredibly difficult to troubleshoot. I GUARANTEE that you've got at least a couple _DOZEN_ ACLs in your instance RIGHT NOW, with this issue!

The free tool I mention in the article linked above can identify ACLs with this issue and prevent it from occurring in the future, but you can identify ACLs already hiding in your ServiceNow environment right now, by navigating to the **_sys\_security\_acl_** table and using the following query:

> _advanced=false^scriptISNOTEMPTY_

**_Note:_** _The same thing applies to Business Rules. See the article linked above for more details. It does not, however, apply to UI Policy Scripts. If a UIP's "Run Scripts" field is set to false, then the script will not run._

---

## 3️⃣ Tracked Configuration Files exposing your passwords!

The "Tracked Configuration files" table in ServiceNow contains copies of the contents of discovered servers' configuration files. While it's not "best-practice", it is very common for _.config_ files to contain API keys, access tokens, or passwords in plain text. When ServiceNow gobbles up this information, it is stored in plain text in a table called _cmdb\_ci\_config\_file\_tracked_.
Depending on your instance version, the content of these files may even be visible to **everyone with the itil role**! (Although on more recent versions of ServiceNow, it requires a separate role: _tracked\_file\_reader_; but the data is still not encrypted, and thus is still something to be wary of).

You can find _most_ of these dangerous tracked config files by navigating to the _cmdb\_ci\_config\_file\_tracked_ table, and using a query similar to the following:

> _contentLIKEtoken^ORcontentLIKEkey^ORcontentLIKEpwd^ORcontentLIKEpassword^ORcontentLIKEsecret^ORcontentLIKEauth_

**Note:** _When filtering the table on the "content" field, you'll notice that the "...contains..." query operator is not available in the filter builder. This is annoying, but we can work around it by constructing our own encoded query and using the_ **_LIKE_** _operator, then manipulating the URL to use our custom encoded query._

---

## 4️⃣ Inefficient client-side queries and GlideAjax calls

Queries and GlideAjax calls in client scripts should always be asynchronous.
You can identify synchronous client-side queries and GlideAjax calls in Client Scripts, Catalog Client Scripts, and UI Policy scripts by navigating to those respective tables and filtering to show records where the script field contains “.query()”, “.get(‘”, or “.getXMLWait(”.
For example, in the _sys\_script\_client_ table, you can use the following encoded query as a starting point:

> _scriptLIKE.query()^ORscriptLIKE.get('^ORscriptLIKE.getXMLWait(_

Here are some relevant articles to help you _get around_ the need to perform queries or GlideAjax calls synchronously, such as in onSubmit client scripts, and to DRASTICALLY improve performance over the existing out-of-box client-side GlideRecord class:

1. [Performing asynchronous queries in onSubmit ServiceNow Client Scripts or Catalog Client Scripts](https://onsubmit.snc.guru)
2. [A better, MUCH more efficient client-side GlideRecord class](https://egr.snc.guru)
3. [How to debug ServiceNow Client Scripts, UI Policy Scripts, and Catalog Client Scripts in your browser](https://clientdebug.snc.guru)

---

## 5️⃣ `current.update()` in Business Rules

This one won’t be news to most of you, but using `current.update()` in Business Rules in ServiceNow is pretty much universally a bad idea.
If you need to update the _current_ record, you should be making any necessary changes in a **before** Business Rule. If you need to update other records that would be displayed in the form or related lists on the _current_ record, you should do so in an **after** Business Rule. If you need to update some peripheral record that isn't shown in the form of the record that triggered the Business Rule, then you should typically use an **async** Business Rule.

In none of these scenarios, should you ever use `current.update()`.

Search your Business Rules table (`sys_script`) for any records where the Script field contains `current.update(` to identify BRs with this issue.

---

## ✨ **Bonus tip 1**: Plain-text auth headers `ಠ_ಠ`

If you see auth headers with values such as `Bearer dGghczEkNFBhU3N2djByZGxvbG9sb2xrdGh4YmFpaQ==`, you may think that that's secure. I mean, that doesn't look like a password, right? But alas, that is a base64-encoded string... and **encoding is not the same as encryption**!
Navigate to the URL: `\sys_rest_message_fn_headers_list.do?sysparm_query=nameSTARTSWITHAuth%5EORvalueSTARTSWITHbearer`

Make sure that the **Value** column is visible.

If you see any values that look like long random alphanumeric strings, that is probably a base64 encoded string - which can be easily _decoded_ into its text value. Those should typically be converted into auth profile records associated with the REST Methods, and NEVER stored in plain-text!

## ✨ **Bonus tip 2**: Using `.getRowCount()` vs. `GlideAggregate`

There _are_ legitimate uses for the `.getRowCount()` API method of GlideRecord, but they are relatively rare when it comes to production code.

Search **all** of your scripts for instances of scripts using `GlideRecord`'s `.getRowCount()` method, and try to identify which instances of it can be replaced with a `GlideAggregate` query instead. This is usually the case when the main function of the `GlideRecord` query is _just_ to get the row count, which is much, much slower using `GlideRecord` than `GlideAggregate`.

---

Do **you** know of any major risks in ServiceNow that people should be made aware of? Let us know in the comments below!
If you see someone with some helpful ideas in the comments, be sure to drop them a _like_!

If you like my content, be sure to [subscribe to the SN Pro Tips newsletter on snprotips.com](https://snprotips.com/subscribe), and [subscribe on LinkedIn](https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=6993968603075158016)!

---

## Subscribe

Sign up with your email address to receive news and updates.

First Name Last Name

Email Address Sign Up

We respect your privacy.

Thank you!

---

* [ 2026](https://snprotips.com/blog?year=2026)
* Jan 8, 2026 [Flow Designer vs. Scripting - REST Message Performance](https://snprotips.com/blog/) Jan 8, 2026
* [ 2025](https://snprotips.com/blog?year=2025)
* Sep 29, 2025 [Find Filthy Inefficient Single-Record Queries FAST](https://snprotips.com/blog/) Sep 29, 2025
* Sep 14, 2025 [Communicating Changes to Your Users (& Setting Default User Preferences in ServiceNow)](https://snprotips.com/blog/) Sep 14, 2025
* Mar 24, 2025 [Calculate Distance Between Two Locations in ServiceNow (without an API call!)](https://snprotips.com/blog/) Mar 24, 2025
* Mar 11, 2025 [5 Ways to Check your ServiceNow Instance for DANGEROUS CODE in Less Than 5 minutes](https://snprotips.com/blog/) Mar 11, 2025
* [ 2024](https://snprotips.com/blog?year=2024)
* Mar 28, 2024 [How to Identify Duplicate Records by Multiple Fields in ServiceNow](https://snprotips.com/blog/) Mar 28, 2024
* Mar 7, 2024 [How to Merge Personal & Company ServiceNow Accounts](https://snprotips.com/blog/) Mar 7, 2024
* Feb 12, 2024 [5 Lessons About Programming From Richard Feynman](https://snprotips.com/blog/) Feb 12, 2024
* [ 2023](https://snprotips.com/blog?year=2023)
* Jul 5, 2023 [Managing Instance-Specific System Properties for Dev/Test/Prod in ServiceNow](https://snprotips.com/blog/) Jul 5, 2023
* Apr 28, 2023 [Your ACLs and Business Rules are Broken (Here's How to Fix Them)](https://snprotips.com/blog/) Apr 28, 2023
* [ 2022](https://snprotips.com/blog?year=2022)
* Dec 13, 2022 [ServiceNow Developers: BE THE GUIDE!](https://snprotips.com/blog/) Dec 13, 2022
* Oct 19, 2022 [A Faster, More Efficient Client-side GlideRecord (Free tool!)](https://snprotips.com/blog/) Oct 19, 2022
* Oct 9, 2022 [Animated Loading Message & Collapsible Details on ServiceNow Form or Field (Client-side)](https://snprotips.com/blog/) Oct 9, 2022
* Aug 23, 2022 [Using .addJoinQuery() & How to Query Records with Attachments in ServiceNow](https://snprotips.com/blog/) Aug 23, 2022
* Aug 18, 2022 [Free, Simple URL Shortener for ServiceNow Nerds (snc.guru)](https://snprotips.com/blog/) Aug 18, 2022
* Aug 16, 2022 [How to Get and Parse ServiceNow Journal Entries as Strings/HTML](https://snprotips.com/blog/) Aug 16, 2022
* Aug 14, 2022 [New tool: Get Latest Version of ServiceNow Docs Page](https://snprotips.com/blog/) Aug 14, 2022
* Mar 4, 2022 [How to Set or Change ServiceNow Application's Repository URL, Credentials, or SSH Key](https://snprotips.com/blog/) Mar 4, 2022
* Feb 7, 2022 [How to return a CSV file from a Scripted REST API (SRAPI) in ServiceNow](https://snprotips.com/blog/) Feb 7, 2022
* [ 2021](https://snprotips.com/blog?year=2021)
* May 3, 2021 [Adding a Guided Setup to Your ServiceNow Application](https://snprotips.com/blog/) May 3, 2021
* Apr 27, 2021 [Use Automated Tests to Validate "Guided Setup" Completion & Functionality.](https://snprotips.com/blog/) Apr 27, 2021
* Feb 11, 2021 ["Processors", SRAPIs, and How to Run a Script and Redirect a User From a URL in ServiceNow](https://snprotips.com/blog/) Feb 11, 2021
* [ 2020](https://snprotips.com/blog?year=2020)
* Nov 17, 2020 [SN Guys is now part of Jahnel Group!](https://snprotips.com/blog/) Nov 17, 2020
* Sep 14, 2020 [Better ServiceNow Notifications (& Another FREE Tool!)](https://snprotips.com/blog/) Sep 14, 2020
* Jul 31, 2020 [Debugging Client & Catalog Client Scripts in ServiceNow](https://snprotips.com/blog/) Jul 31, 2020
* Jan 20, 2020 [Getting Help from the ServiceNow Community](https://snprotips.com/blog/) Jan 20, 2020
* [ 2019](https://snprotips.com/blog?year=2019)
* Dec 18, 2019 [Can ServiceNow Script Includes Use the "current" Variable?](https://snprotips.com/blog/) Dec 18, 2019
* Nov 18, 2019 [Handling 'text/plain' and Other Unsupported Content Types in ServiceNow Scripted REST APIs](https://snprotips.com/blog/) Nov 18, 2019
* Apr 21, 2019 [Understanding Attachments in ServiceNow](https://snprotips.com/blog/) Apr 21, 2019
* Apr 10, 2019 [Using Custom Search Engines in Chrome to Quickly Navigate ServiceNow](https://snprotips.com/blog/) Apr 10, 2019
* Apr 4, 2019 [Set Catalog Variables from URL Params (Free tool)](https://snprotips.com/blog/) Apr 4, 2019
* Apr 1, 2019 [Outlook for Android Breaks Email Approvals (+Solution)](https://snprotips.com/blog/) Apr 1, 2019
* Mar 11, 2019 [GlideFilter is Broken - Free Tool: “BetterGlideFilter”](https://snprotips.com/blog/) Mar 11, 2019
* Feb 27, 2019 [Making Update Sets Smarter - Free Tool](https://snprotips.com/blog/) Feb 27, 2019
* [ 2018](https://snprotips.com/blog?year=2018)
* Nov 29, 2018 [How to Learn ServiceNow](https://snprotips.com/blog/) Nov 29, 2018
* Nov 6, 2018 [ServiceNow & ITSM as a Career?](https://snprotips.com/blog/) Nov 6, 2018
* Oct 19, 2018 [Asynchronous onSubmit Catalog/Client Scripts in ServiceNow](https://snprotips.com/blog/) Oct 19, 2018
* Oct 11, 2018 [How to do Massive, Slow Database Operations Efficiently With Event-Driven Recursion](https://snprotips.com/blog/) Oct 11, 2018
* Sep 18, 2018 [Broken Queries & Query Business Rules in ServiceNow](https://snprotips.com/blog/) Sep 18, 2018
* Sep 7, 2018 [JournalRedactor - Easily Redact or Delete Journal Entries in ServiceNow!](https://snprotips.com/blog/) Sep 7, 2018
* Jul 23, 2018 [Admin Duty Separation with a Single Account](https://snprotips.com/blog/) Jul 23, 2018
* Jun 19, 2018 [Improving Performance on Older Instances with Table Rotation](https://snprotips.com/blog/) Jun 19, 2018
* Jun 4, 2018 [New Free Tool: Login Link Generator](https://snprotips.com/blog/) Jun 4, 2018
* May 29, 2018 [Learning ServiceNow: Second Edition!](https://snprotips.com/blog/) May 29, 2018
* Apr 17, 2018 [Upgrading From Express to Enterprise: What's Missing](https://snprotips.com/blog/) Apr 17, 2018
* Apr 12, 2018 [If a Genie Gave Me Three Wishes, I'd Use Them All to "Fix" Scope](https://snprotips.com/blog/) Apr 12, 2018
* Mar 19, 2018 [Service Catalog "Try in Portal" button](https://snprotips.com/blog/) Mar 19, 2018
* Mar 15, 2018 [Video: Custom Output Transition Conditions From a Single Workflow (Script) Activity](https://snprotips.com/blog/) Mar 15, 2018
* Feb 11, 2018 [We have a new book! ](https://snprotips.com/blog/) Feb 11, 2018
* [ 2017](https://snprotips.com/blog?year=2017)
* Nov 6, 2017 [Requiring Attachments (& Other Miracles) in Service Portal](https://snprotips.com/blog/) Nov 6, 2017
* Sep 12, 2017 [Handling TimeZones in ServiceNow (TimeZoneUtil)](https://snprotips.com/blog/) Sep 12, 2017
* Jul 27, 2017 [How to Enable DOM Manipulation in ServiceNow Service Portal Catalog Client Scripts](https://snprotips.com/blog/) Jul 27, 2017
* Jun 25, 2017 [What's New in ServiceNow: Jakarta (Pt. 1)](https://snprotips.com/blog/) Jun 25, 2017
* Jun 4, 2017 [Powerful Scripted Text Search in ServiceNow](https://snprotips.com/blog/) Jun 4, 2017
* May 9, 2017 [Work at Lightspeed: ServiceNow's Plan for World Domination](https://snprotips.com/blog/) May 9, 2017
* Apr 9, 2017 [Avoiding Pass-By-Reference Using getValue() & setValue()](https://snprotips.com/blog/) Apr 9, 2017
* Apr 4, 2017 ["Learning ServiceNow" is Now Available for Purchase!](https://snprotips.com/blog/) Apr 4, 2017
* Mar 12, 2017 [reCAPTCHA in ServiceNow CMS/Service Portal](https://snprotips.com/blog/) Mar 12, 2017
* [ 2016](https://snprotips.com/blog?year=2016)
* Dec 20, 2016 [Pro Tip: Use updateMultiple() for Maximum Efficiency! ](https://snprotips.com/blog/) Dec 20, 2016
* Dec 2, 2016 [We're Writing a Book! ](https://snprotips.com/blog/) Dec 2, 2016
* Nov 10, 2016 [Chrome Extension: Load in ServiceNow Frame](https://snprotips.com/blog/) Nov 10, 2016
* Sep 7, 2016 [Force-Include Any Record Into an Update Set](https://snprotips.com/blog/) Sep 7, 2016
* Sep 1, 2016 [GlideRecord Pagination - Page through your GlideRecord query](https://snprotips.com/blog/) Sep 1, 2016
* Jul 17, 2016 [Granting Temporary Roles/Groups in ServiceNow](https://snprotips.com/blog/) Jul 17, 2016
* Jul 15, 2016 [Scripted REST APIs & Retrieving RITM Variables via SRAPI](https://snprotips.com/blog/) Jul 15, 2016
* May 17, 2016 [What's New in Helsinki?](https://snprotips.com/blog/) May 17, 2016
* Apr 27, 2016 [Customizing UI16 Through CSS and System Properties](https://snprotips.com/blog/) Apr 27, 2016
* Apr 5, 2016 [ServiceNow Versions: Express Vs. Enterprise](https://snprotips.com/blog/) Apr 5, 2016
* Mar 28, 2016 [Update Set Collision Avoidance Tool: V2](https://snprotips.com/blog/) Mar 28, 2016
* Mar 18, 2016 [ServiceNow: What's New in Geneva & UI16 (Pt. 2)](https://snprotips.com/blog/) Mar 18, 2016
* Feb 22, 2016 [Reference Field Auto-Complete Attributes](https://snprotips.com/blog/) Feb 22, 2016
* Feb 6, 2016 [GlideRecord & GlideAjax: Client-Side Vs. Server-Side](https://snprotips.com/blog/) Feb 6, 2016
* Feb 1, 2016 [Make Your Log Entries Easier to Find](https://snprotips.com/blog/) Feb 1, 2016
* Jan 29, 2016 [A Better, One-Click Approval](https://snprotips.com/blog/) Jan 29, 2016
* Jan 25, 2016 [Quickly Move Changes Between Update Sets](https://snprotips.com/blog/) Jan 25, 2016
* Jan 20, 2016 [Customize the Reference Icon Pop-up](https://snprotips.com/blog/) Jan 20, 2016
* Jan 7, 2016 [ServiceNow: Geneva & UI16 - What's new](https://snprotips.com/blog/) Jan 7, 2016
* Jan 4, 2016 [Detect/Prevent Update Set Conflicts Before They Happen](https://snprotips.com/blog/) Jan 4, 2016
* [ 2015](https://snprotips.com/blog?year=2015)
* Dec 28, 2015 [SN101: Boolean logic and ServiceNow's Condition Builder](https://snprotips.com/blog/) Dec 28, 2015
* Dec 17, 2015 [Locate any record in any table, by sys\_id in ServiceNow](https://snprotips.com/blog/) Dec 17, 2015
* Dec 16, 2015 [Detecting Duplicate Records with GlideAggregate](https://snprotips.com/blog/) Dec 16, 2015
* Dec 11, 2015 [Array.indexOf() not working in ServiceNow - Solution! ](https://snprotips.com/blog/) Dec 11, 2015
* Dec 2, 2015 [Understanding Dynamic Filters & Checking a Record Against a Filter Using GlideFilter](https://snprotips.com/blog/) Dec 2, 2015
* Oct 20, 2015 [Bookmarklet: Load the current page in the ServiceNow frame](https://snprotips.com/blog/) Oct 20, 2015
* Aug 27, 2015 [Easily Clone One User's Access to Another User](https://snprotips.com/blog/) Aug 27, 2015

View original source

https://snprotips.com/blog/2023/3-ways-to-check-your-servicenow-instance-for-dangerous-code-in-less-than-5-minutes