I found this vulnerability back in 2017, It was interesting as
X-frame-options : response header was set to avoid clickjack but i was able to bypass and clickjack the youtube domain and its sub domains. Now let’s discuss the vulnerability in detail.
In the above screenshot you can see
X-frame-options header is set to
sameorigin which should only allows the current site to frame the contents.
Vulnerability was simple, If
Referer header value can be set to
https://google.com/any-end-point while browser makes the request to load contents inside the iframe, it was possible to bypass there clickjacking protection.
STEPS TO REPRODUCE :
<iframe src="https://youtube.com" height="300" width="300">
Thats it, thanks for reading.