Note

web php deserialization hmac snuffleupagus cookie object-injection

Recover the HMAC key protecting a serialized cookie, then sign your own gadget chain instead of breaking the parser.

Forging Serialized Cookies + Snuffleupagus HMAC

The application trusts a serialized object protected only by an HMAC. Recover the key and you don't need to break parsing — you just sign your own gadget chain. Snuffleupagus may harden unserialize, but if the app expects a signed serialized blob and the key leaks, the trust model collapses.

Why It Works

The MAC only proves the blob was produced by someone with the key. With the key recovered (config read, code leak), forged blobs validate.

Vulnerable Pattern

Cookies or parameters storing raw PHP serialized data plus a MAC, especially when secret material is recoverable via config read or code leak.

Exploit Flow

Recover the exact cookie format: concatenation, separators, length checks, hash algorithm.
Craft the gadget payload separately and validate it round-trips through serialize / unserialize.
Sign the bytes exactly as the application expects and replace the original cookie.

Variations

MAC over raw serialized bytes, over base64, over name|value pairs, or with hex vs binary encoding.

Common Blockers

Additional metadata checks, object allowlists, or Snuffleupagus rules that reject the dangerous class even with a valid HMAC.

PoC Sketch

$cookie = serialize($payload) . hash_hmac('sha256', serialize($payload), $secret);
// send it back as the cookie the notes app expects

Good Situations To Use It

A cookie carries serialized data + a MAC.
You can leak the secret via config/source read.
The class you need isn't blocked by Snuffleupagus.

Sources

fcsc2026/web/secure_mood_notes_2/part_1
fcsc2026/web/secure_mood_notes_2