I have recently come across clickjacking and how it is reliant upon a vulnerability in the iFrame relating to same user-origin and the Content Security Policy (CSP) not being setup.
What I don't understand is how clickjacking is dangerous and its true usage. Sure you may be able to put a vulnerable login page and have invisible buttons – but then how does it all work in terms of an attacker getting what they want?
My understanding is that an iFrame or inline frame is essentially a window and HTML tag that allows one to embed third party content on their website. So for example, Google Maps or even a Twitter Feed.
But then what I don't quite get is how it can be used to cause damage and in what cases
If someone could clarify this, that would be great!