Please enter search query.
Search <product_name> all support & community content...
Article: 100032619
Last Published: 2025-10-23
Ratings: 0 1
Product(s): Appliances
Problem
Veritas Technologies LLC was provided an independent Nessus Vulnerability Scanner report that indicated that the NetBackup Appliance Web Console does not set an X-Frame-Options and could potentially expose the site to a clickjacking.
Error Message
Example report from Nessus:443/tcp
85582 - Web Application Potentially Vulnerable to Clickjacking
Synopsis: The remote web server may fail to mitigate a class of web application vulnerabilities.
Description: The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.
More information on this Nessus Plugin can be found at:
https://www.tenable.com/plugins/index.php?view=single&id=85582
Cause
According to Clickjacking Defense Cheat Sheet:
Defending with X-Frame-Options Response Headers
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.
Solution
The NetBackup Appliance includes 'X-Frame-Options' and is not subject to Clickjacking attacks.Testing for Clickjacking (OTG-CLIENT-009)
The first step in discovering if a website is vulnerable is to check if the target web page could be loaded into an iframe. To do this you need to create a simple web page that includes a frame containing the target web page. The HTML code to create this testing web page is displayed in the following snippet:<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.target.site" width="500" height="500"></iframe>
</body>
</html>
Result Expected: If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks. Now you can directly create a "proof of concept" to demonstrate that an attacker could exploit this vulnerability.
Note: Independent tests using the HTML code above indicate that the NetBackup Appliance Web Console does not load into the frame.
The Nessus tests provided indicates a false-positive.
The NetBackup Appliance Web Console is not subject to "Clickjacking" vulnerability.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.