Posted by Dimitris Strevinas on Feb 08

Ben, we have reproduced the vulnerability in many occasion.
First of all, at least to steal the session it is no matter if
X-Frame-Option is set to deny/same-origin.
Secondly, we were able to easily bypass the alert popup. It is not needed if
you implement the “waiting” logic with a synchronous AJAX call or a looped
wait (there is no sleep is JS).

The most important part is that the “1.php” in the original POC, should…