The NetBackup Appliance Web Console is not subject to "clickjacking."

Article: 100032619
Last Published: 2025-10-23
Ratings: 0 1
Product(s): Appliances

Problem

Veritas Technologies LLC was provided an independent Nessus Vulnerability Scanner report that indicated that the NetBackup Appliance Web Console does not set an X-Frame-Options and could potentially expose the site to a clickjacking.

Error Message

Example report from Nessus:

443/tcp
85582 - Web Application Potentially Vulnerable to Clickjacking

Synopsis: The remote web server may fail to mitigate a class of web application vulnerabilities.
Description: The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions.

More information on this Nessus Plugin can be found at:
 https://www.tenable.com/plugins/index.php?view=single&id=85582


 

Cause

According to Clickjacking Defense Cheat Sheet:
Defending with X-Frame-Options Response Headers

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

Solution

The NetBackup Appliance includes 'X-Frame-Options' and is not subject to Clickjacking attacks.
 

Testing for Clickjacking (OTG-CLIENT-009)

The first step in discovering if a website is vulnerable is to check if the target web page could be loaded into an iframe. To do this you need to create a simple web page that includes a frame containing the target web page. The HTML code to create this testing web page is displayed in the following snippet:

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="http://www.target.site" width="500" height="500"></iframe>
   </body>
</html>


Result Expected: If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks. Now you can directly create a "proof of concept" to demonstrate that an attacker could exploit this vulnerability.
clickjacking test
Note: Independent tests using the HTML code above indicate that the NetBackup Appliance Web Console does not load into the frame.

The Nessus tests provided indicates a false-positive.
The NetBackup Appliance Web Console is not subject to "Clickjacking" vulnerability.
 

Was this content helpful?