Multi-Stage Clickjacking

Run privileged actions bypassing authentication, 2FA and SSO.
Hijack multiple clicks, on multiple pages, transparently to the target user, without changing the layout of the website.
Matadoor is the ultimate Proof of Concept to demonstrate how disrupting a lack of anti-framing HTTP headers header can be!
Use it legally, for pen-testing and bug bounties only!

How it works Download

Invisibly hijack the user's whole browser experience.

Record a privileged action

Record an action you want the victim to perform. It's as simple as recording a screen.

Turn the recording into an exploit

With one click of a button - generate javascript code performing a recorded action in the background.

Paste the code into a website you control

Add the code into your website and have the victim visit it.

Abuse started sessions

If the victim's browser bears a cookie proving the successful authentication (even via 2FA/SSO) - recorded actions will be replayed (performed) by the victim without his/her knowledge.

"It's like recording clicks for a bot or a macro. But it's a real unaware person at the other end, running it in his name."

Napoleon Bonaparte / Emperor