Contrary to popular belief, X-Frame-Options is not a proper solution to mitigate CVE-2015-0072 (Internet Explorer Universal Cross-Site Scripting vulnerability). In this short video we demonstrate how this issue can be abused to attack a website that has set the X-Frame-Options header to DENY. As can be seen in the video, the payload can still be injected in the target site despite the fact that it is not rendered in an iframe.