Clickjacking cwe CWE-1021: Improper Restriction of Rendered UI Layers or Frames: This value prevents cookies from being sent in iframes, which essentially breaks any clickjacking attack that relies on the user being logged in. Some files provide "coverage graphs," in which the members of a smaller view are highlighted within the View Assignment - IAS, Group 4, 3BSIT2. The CWE definition for the vulnerability is CWE-451 . 此文章学习总结与《白帽子讲WEB安全》及借鉴了各路大神的文章，欢迎讨论与指正。 2008年，发现了一种Click Jacking（点击劫持）的攻击，这类攻击方式影响了几乎所有的桌面平台，包括IE、firefox、opera The manipulation with an unknown input leads to a clickjacking vulnerability. 9-1: Clickjacking inline frame illustration. Clickjacking is a well-known web application vulnerability. Insecure Direct Object Reference (IDOR) (CWE-639) Overview Description. 3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. These code snippets will basically set the HTTP response headers responsible for mitigating clickjacking. Clickjacking is a web security vulnerability that allows an attacker to trick users into clicking on hidden web page elements. Practise exploiting vulnerabilities on realistic targets. The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the 2023 CWE Top 10 KEV Weaknesses. 1% in 2006, but its true PDFs with Graphical Depictions of CWE (Version 4. 13. The application does not protect the web page root\advanced. The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. NET Deserialization RCE: CWE-502: CWE-502: High: AbanteCart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting Clickjacking (UI Redress, CWE-1021): Description: Clickjacking involves tricking a user into interacting with unintended elements by overlaying them with legitimate content. The user is then lured into clicking on these elements and unknowingly clicks on an obscured interactive component that often comes from an embedded page. Missing clickjacking protection: CWE ID: CWE-1021: CWE Score: 6. However, the true potency of clickjacking is revealed when it is used as a carrier for another attack such as a DOM XSS attack CWE is classifying the issue as CWE-451. CVE Vendors Products Updated CVSS v3. x release should upgrade to the appropriate release. While being logged in to some target system, the victim visits the attacker's malicious site which displays a UI that the victim wishes to interact with. Application security testing See how our software enables the world to secure the web. . CWE is classifying the issue as CWE-451 . CWE Name Source; CWE-1021: Improper Restriction of Rendered UI Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities Abstraction: Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. Affected is an unknown part. ZAP is a community project actively maintained by a dedicated international team, and a GitHub Top 1000 project. 0, and Thunderbird < 115. CWE ; POC - clickjacking attack ; Command Injection ; Cross Site Request Forgery (CSRF) IDOR ; Server-side request forgery (SSRF) SQL injection ; XSS in Markdown ; Cross-site scripting (XSS) Pivoting tunneling port forwarding . Composite - a Compound Element that consists of two or Vidyo 02-09-/D allows clickjacking via the portal/ URI. 0 release. 5. CWE-ID CWE Name Source; CWE-1021: Improper Restriction of Rendered UI Layers or Frames: The manipulation with an unknown input leads to a clickjacking vulnerability. Implement X-FRAME-OPTIONS in HTTP headers to prevent Clickjacking attacks. Clickjacking Clickjacking Table of contents . Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities Some browsers would interpret these results incorrectly, allowing clickjacking attacks. These draft mappings were performed by members of the "Mapping CWE to 62443" subgroup of the CWE-CAPEC ICS/OT Special Interest Group (SIG), and their work is incomplete as of CWE 4. Potential_Clickjacking_on_Legacy_Browsers issue exists @ root/advanced. Record your progression from Apprentice to Expert. 05 OS: Linux Detected at: Paths without secure XFO header: https://FQDN/bo/fonts/ CVE: ""CWE-1021" impact: medium- The impact depends on the affected web application. Mitre cwe security. Cleartext Transmission of Sensitive Information (CWE-319) 5. For the most recent version go here. Clickjacking can be used to perform unauthorized actions, such as deleting data, transferring funds, or changing settings. 1. GHSA-mxvr-rwhq-rpw8 The manipulation with an unknown input leads to a clickjacking vulnerability. The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals. Home > CWE List Clickjacking assaults use CSS to make and control layers. 10. To defense the Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking. CWE-451. Direct object references are maps of an The manipulation with an unknown input leads to a clickjacking vulnerability. CWE-1021: Improper Restriction of Rendered UI CWE: 1021 WASC: 15: Technologies Targeted: All Tags: CWE-1021 OWASP_2017_A06 OWASP_2021_A05 WSTG-V42-CLNT-09: More Info: Scan Rule Help: Summary. Web sites that do not specify the X-Frame-Options HTTP header may be vulnerable to UI redress attacks (”clickjacking”). It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. KEV Key Insights. Figure1illustrates a clickjacking attack: the victim site is framed in a transparent iframe that The CWE definition for the vulnerability is CWE-451. jsp from clickjacking attacks in legacy browsers, by using framebusting scripts. The use of X-Frame-Options or a frame-breaking script is a more fail-safe method of clickjacking protection. The 2024 CWE Top 25 is here! Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working. 0 due to insufficient input sanitization and output escaping. Clickjacking UI Redress Attack Tapjacking. Any W3C proposal for addressing clickjacking should consider each of these threats. Enable mod_headers using this command a2enmod headers The manipulation with an unknown input leads to a clickjacking vulnerability. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Basic knowledge of HTML is enough to try clickjacking attack in a site. There are many active bug bounty programmes run by various companies to give ethical hackers a platform to test and report potential security loopholes in their product. This attack is actuated by the attacker after tricking a user to click on a vulnerable link and thereby carry out nefarious or fraudulent 点击劫持（Click Jacking）是一种视觉上的欺骗手段，攻击者通过使用一个透明的iframe，覆盖在一个网页上，然后诱使用户在该页面上进行操作，通过调整iframe页面的位置，可以使得伪造的页面恰好和iframe里受害页面里一些功能重合（按钮），以达到窃取用户信息或者劫持用户操作的目的。 The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. A model utilizing the style tag and cutoff points is as per the going with: CWE vs CVE. This can result in a user performing fraudulent or malicious transactions. The user interface (UI) does not properly The manipulation with an unknown input leads to a clickjacking vulnerability. Combining clickjacking with a DOM XSS attack. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack. Lines: 1 The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think **Clickjacking** is when an attacker a hidden iframe with multiple transparent or opaque layers above it, to trick a user into clicking on a button or link on the iframe when they were intending to click on the the top level page. Apache. Affected is an unknown code. This attack is described as CWE-1021: Improper Restriction of Rendered UI Layers or Frames. com; Community & Support CWE. Clickjacking What is clickjacking? In a clickjacking attack, the user is tricked into interacting with a user interface element that they do not see. Users running a prior 1. CWE-1021 CVE ID. More specific than a Base weakness. An attacker could overlay a transparent iframe to perform click hijacking on victims. To do this the attacker have to automatically cancel the incoming navigation request in an onBeforeUnload event handler by repeatedly submitting (for example every millisecond) a navigation request to a web page that responds with a “HTTP/1. 11. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Click to see the query in the CodeQL repository. So far, we have looked at clickjacking as a self-contained attack. Checkmarx. 5: Compliance: OWASP TOP10 -> A5. This vulnerability occurs due to unvalidated user input. Penetration testing Accelerate penetration testing - find Potential clickjacking issue is reported while running checkmarx report on angular 13 project. The OWASP Risk. CI-driven scanning More proactive security - find and fix vulnerabilities earlier. Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. 0 CVSS Version 3. For example, it was used as an attack on X (formerly known as Twitter). Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, The CWE Top 25 Most Dangerous Software Weaknesses List highlights the most severe and prevalent weaknesses behind the 31,770 Common Vulnerabilities and Exposures (CVE®) Records in this year’s dataset. This vulnerability affects Firefox < 120, Firefox ESR < 115. The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack. Flaw. For that, yes, clickjacking is indeed a real, distinct security concern. With over 35 vulnerability types used in this report, and dozens more as currently identified in CWE, this shows how most public reports concentrate only on a handful of vulnerability types. Tenable. 前言. Metrics CVSS Version 4. Improper Control of Interaction Frequency (Anti-Automation) [CWE-799] 126. Solution Modern Web browsers The previous technique requires the user interaction but, the same result, can be achieved without prompting the user. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, The manipulation with an unknown input leads to a clickjacking vulnerability. In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the The manipulation with an unknown input leads to a clickjacking vulnerability. The CWE definition for the vulnerability is CWE-451. Memory Corruption - Generic. The issue is reported for app. 0. 9. It's done by overlaying a disguised or invisible UI layer (usually using iframes) on top of a target web page, fooling users into believing they're clicking something totally different. User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others) [CWE-451] 174. 3. This is going to have an impact on integrity. The attacker designs a malicious page with fake visual elements. More specific than a The manipulation with an unknown input leads to a clickjacking vulnerability. 3, Thunderbird < 128. Share via: View in table format. IDOR (Insecure Direct Object Reference) is the most common vulnerability found in web applications and APIs. CWE-119. The analysis shows that there is a need for in-depth study on click-jacking attacks (client-side vulnerability) and preventive measures so that early prevention and detection of such kinds of Clickjacking vulnerability in Clibo Manager v1. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. A community-developed list of SW & HW weaknesses that can become vulnerabilities. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Report. CWE: 693. A community-developed list of SW & HW weaknesses that can become vulnerabilities Clickjacking UI Redress Attack Tapjacking. CWE Top 25. Why is CWE important? Ivan Lee | February 26 Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities Abstraction: Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. Class: Clickjacking CWE: CWE-451 The manipulation with an unknown input leads to a clickjacking vulnerability. Dela Cruz, Baltazar II S. The response does not protect against ‘ClickJacking’ attacks. The manipulation with an unknown input leads to a clickjacking vulnerability. CWE 639: Insecure Direct Object Reference is an access control problem that allows an attacker to view data by manipulating an identifier (for example, a document or account number). This is often a component in phishing attacks. Top 25 Home. Clickjacking, a deceitful interface-based attack, requires a comprehensive defense strategy to protect web applications and users from its potential threats. Severity: Low. Using CWE to declare the problem leads to CWE-451. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. Figure 4. - OWASP/www-project-web-security-testing Metasploit Modules CWE Definitions CAPEC Definitions Articles Blog CAPEC-103 : Clickjacking An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. The Top 25 highlights the most severe and prevalent weaknesses behind the 31,770 CVE® Records in this year’s dataset. The headers are the ones that we earlier discussed in earlier in this guide. It is based on the functionality of web-designing in which two or more web frames are overlapped over each other. Technical Findings Group #4 3BSIT-2 Group Names: Evangelista, Lawrence M. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options. The world’s most widely used web app scanner. Construct a clickjacking attack that fools the user into clicking the "Click me" button to call the print() function. Make clickjacking PoC, take screenshot and share link. 12. CWE: Spanish National Cybersecurity Institute, S. DevSecOps Catch critical bugs; ship more secure software, more quickly. 1; CVE-2024-9619: 2024-12-20: 6. Metrics CWE-ID CWE Name Source; CWE-1021: Improper Restriction of Rendered UI Layers or Frames: In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different system. An attacker may trick user to click a link and affect the integrity of a device by exp Clickjacking: X-Frame-Options header SMAX Version: 2022. htaccess File Detected: CWE-443: CWE-443: Informational. Definition, examples. 8. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, With clickjacking, the action is performed within the user's browser, by the user himself, and inside the legitimate page (loaded within iFrame). component. Environment SMAX Version: 2022. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. Free and open source. In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. frame-ancestors allows a site to authorize multiple domains using Burp Suite Enterprise Edition The enterprise-enabled dynamic web vulnerability scanner. CWE:693. CWE Identifier: CWE-1021 (UI Redress) Frame Busting Bypass (CWE-1021): Description: Frame busting (frame-breaking) scripts are used to prevent a webpage from being framed or The manipulation with an unknown input leads to a clickjacking vulnerability. Clickjacking (UI Redressing ) 5. As an impact it is known to affect integrity. 12 in the '/public/login' directory, a login panel. 05 Situation Description: Clickjacking: CSP frame-ancestors missing Detected at: Paths without CSP frame-ancestors: This lab contains an XSS vulnerability that is triggered by a click. Timing: the product is performing a state transition or context switch that In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. html file. Read more here: The Taxonomy_Mappings to ISA/IEC 62443 were added in CWE 4. In this section, there are config snippets useful handy for system admins to fix clickjacking. CWE Name Source; CWE-1021: Improper Restriction of Rendered UI The manipulation with an unknown input leads to a clickjacking vulnerability. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. See The manipulation with an unknown input leads to a clickjacking vulnerability. KEV Methodology. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most The manipulation with an unknown input leads to a clickjacking vulnerability. A. Historically, clickjacking has been used to perform behaviors such as boosting "likes" on a Facebook page. Common Weakness Enumeration. CWE is classifying the issue as CWE-451. NOTICE: This is a previous version of the Top 25. However, in scenarios where content must be frameable, then a window. The Possible solutions sections are currently just suggestions until they can be evaluated within the context of a formally proposed design. This manipulation can lead to unintended consequences for the user, such as the downloading of malware, redirection to malicious web pages, provision of credentials or sensitive information, money transfers, or the online This attack can be used to perform any action the user can do on the attacked page. CVE-2024-10454 GHSA ID. CVE-2019-5243 : There is a Clickjacking vulnerability in Huawei HG255s product. 13: Mass Assignment [CWE-915] 76 . 10, but they are still under review and might change in future CWE versions. ISO 27001 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: The manipulation with an unknown input leads to a clickjacking vulnerability. A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The user interface (UI) does not properly represent The manipulation with an unknown input leads to a clickjacking vulnerability. Figure 1: Visualization of a clickjacking attack on Twitter’s account deletion page. Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Vulnerability Mapping: ALLOWED This CWE ID could be used to map to real-world vulnerabilities in limited situations requiring careful review (with careful review of mapping notes) Abstraction: Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, The manipulation with an unknown input leads to a clickjacking vulnerability. CWE Severity (Possible) Cross site scripting: CWE-79: CWE-79: Informational. To use the SameSite attribute as an additional layer of protection against clickjacking, configure the SameSite attribute on your session-related cookies to one of the following values: * CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others) * CWE-601: Unvalidated Forward and Redirects * CWE-799: Improper Control of Interaction Frequency (Anti-Automation) * CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content) * CWE-918: Server-Side Request Forgery (SSRF) The manipulation with an unknown input leads to a clickjacking vulnerability. The main The manipulation with an unknown input leads to a clickjacking vulnerability. Burp Suite Professional The world's #1 web penetration testing toolkit. The aggressor joins the objective site as an iframe layer overlaid on the interference site. 0 NVD enrichment efforts reference publicly available information to associate vector strings. CWE-ID CWE Name Source; CWE-1021: Improper Restriction of Clickjacking (CWE-693): The web servers which avoid X-Frame-Options or Content-Security-Policy ‘frame-ancestors’ response headers for many responses may experience a clickjacking or UI redress attack. After reviewing which categories would already be covered by data, the end result were the additions of Find and fix vulnerabilities Codespaces. You can test HTTPS, HTTP, intranet and internal sites. The victim surfs the attacker's web page with the intention of interacting with the visible user interface, but is inadvertently performing actions on the hidden web page. Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. The victim clicks on buttons or other UI There are two main techniques used to accomplish this. It has been classified as problematic. This vulnerability affects Firefox < 131, Firefox ESR < 128. An attacker could exploit this vulnerability by sending crafted HTTP advancements in clickjacking techniques [22] using drag-and-drop to extract and inject data into frames further demonstrate the importance of secure frame busting. Burp Suite Community Edition The best manual tools to start This page is intended to enumerate the known types of clickjacking attacks and possible mitigation strategies. x CVSS Version 2. The risk of this Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. This combination poses a significant threat to web **Clickjacking** is when an attacker a hidden iframe with multiple transparent or opaque layers above it, to trick a user into clicking on a button or link on the iframe when they were intending The manipulation with an unknown input leads to a clickjacking vulnerability. So, in short: Your proposed attack is indeed plausible, but we use anti-clickjacking to defeat completely different attacks. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to Clickjacking, a subset of UI redressing, is a malicious technique whereby a web user is deceived into interacting (in most cases by clicking) with something other than what the user believes Clickjacking, also known as UI redress attack, is a type of malicious technique used by attackers to trick users into clicking on a button or link on a web page, which will then Clickjacking with a frame buster script represents a scenario where an attacker attempts to bypass or disable frame buster scripts to carry out Clickjacking attacks. Vulnerability details and guidance. 16) The following PDF files provide graphical representations of various CWE views, which provides a way of quickly seeing the structure implied by the parent relationships in those views. 3, and Thunderbird < 131. NET HTTP Remoting publicly exposed: CWE-502: CWE-502: High. 4 Medium: The WP SHAPES plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1. NET JSON. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1. jsp in branch master. 3) Cross-Site Request Forgery (CSRF) remains a 'sleeping giant' [Grossman]. Instant dev environments This can potentially allow 'ClickJacking' attacks where an attacker can frame parts of the application on a malicious web site, revealing sensitive user information such as authentication credentials. Valentino, Meena Attack surface visibility Improve security posture, prioritize manual testing, free up time. This allows an attacker to trick a targetted user to execute unintended actions. By design, this view is incomplete. Preventing clickjacking demands a In a clickjacking attack, a user is tricked into clicking an element on a webpage that is either invisible or disguised as a different element. confirm() can be used to help mitigate Clickjacking Clickjacking vulnerability in Clibo Manager v1. Clickjacking is a newly discovered breach in network security. pdf from CCS KONFIL1 at New Era University. CSRF appears very rarely in CVE, less than 0. Using the hidden page, an attacker can deceive users into performing actions they never intended to perform through Test and learn Clickjacking. But most A vulnerability in the web UI of Gurock TestRail v5. html even if I try fixing this issue using frame busting scripts in index. 1 204 No Here is a list of the top 10 CWEs related to clickjacking: • CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)CWE-79: Cross-Site Scripting (XSS) • CWE-451: Improper Blacklisting • CWE-352: Cross-Site Request Forgery (CSRF) • CWE-918: Server-Side Request Forgery (SSRF) • CWE-290: Authentication Bypass by Spoofing • CWE The manipulation with an unknown input leads to a clickjacking vulnerability. Class: Clickjacking CWE: CWE-451 A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. For example, users may think they The manipulation with an unknown input leads to a clickjacking vulnerability. Clickjacking is purely based on mouse click events and it is a very simple attack to carry out. (INCIBE) CWE Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. "Tapjacking" is similar to clickjacking, except it is used for mobile applications This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. iokcls qzrz hszse kkd ppjy uzdq wmajik arat nhui ajnnml