VULNERABILITY TO BYPASS CLICKJACKING PROTECTION IN YOUTUBE

Date :  06 Oct 2019


I found this vulnerability back in 2017, It was interesting as X-frame-options : response header was set to avoid clickjack but i was able to bypass and clickjack the youtube domain and its sub domains. Now let’s discuss the vulnerability in detail.



In the above screenshot you can see X-frame-options header is set to sameorigin which should only allows the current site to frame the contents.

Vulnerability was simple, If Referer header value can be set to https://google.com/any-end-point while browser makes the request to load contents inside the iframe, it was possible to bypass there clickjacking protection.

STEPS TO REPRODUCE :

  • Wrote a basic clickjacking exploit and saved it as lol.html.

    <iframe src="https://youtube.com" height="300" width="300">
    
  • Turn on intercept in burp proxy.
  • Open the lol.html in browser.
  • Go to burp proxy and set Referer header as Referer: https://google.com/onlinechallenge/.



  • Now you can see youtube.com is loaded inside iframe.





Thats it, thanks for reading.