x.ai Infrastructure Mapping: Segmented Architecture & WAF Defense

Overview

Active reconnaissance of x.ai’s subdomain infrastructure reveals a deliberately segmented architecture designed to isolate web-facing endpoints from backend services. This report documents the infrastructure topology discovered during Phase 4 active probing.

Subdomain Topology

Live Endpoints

console.x.ai (307 Redirect)

• Authentication-protected console interface
• Redirects unauthenticated traffic to /home path
• Cloudflare-protected with CF-RAY headers
• Likely Next.js-based application

api.x.ai (421 Misdirected Request)

• Backend API infrastructure on Envoy WASM ingress
• Responds with “prod-ic-ingress-fallback” identifier
• SNI mismatch suggests intentional routing segregation
• Not directly accessible from public internet

auth.x.ai & status.x.ai (403 Forbidden)

Vulnerability Overview

Type: SQL Injection (CWE-89)
CVSS Score: 9.8 (Critical)
MITRE ATT&CK: T1190 (Exploit Public-Facing Application)
CWE: CWE-89 (SQL Injection)
OWASP Top 10: A03:2021 – Injection

Affected Endpoint

• Path: /rest/user/login
• Method: POST
• Content-Type: application/json
• Vulnerability: Authentication Bypass via SQL Injection

Technical Details

Vulnerability Chain

The Juice Shop login endpoint accepts a JSON payload with email and password fields. The email field is concatenated directly into a SQL query without parameterization, allowing an attacker to inject SQL commands.

Overview

MITRE ATT&CK Technique: T1083 — File and Directory Discovery

Tactic: Discovery

Definition: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system or directory structure. Adversaries may use the information gathered to plan follow-up actions, such as identifying executable files or sensitive data.

This post documents a practical reconnaissance exercise against DVWA using command injection to enumerate the filesystem and identify critical directories, configuration files, and potential attack surfaces.

Date: 2026-03-04
System: OpenSearch Cluster
Index: security-auditlog-*
Findings: 18 unauthenticated requests from <NONE>

Executive Summary

OpenSearch audit logs reveal 18 requests originating from an unauthenticated source (audit_request_effective_user.keyword: "<NONE>"). All requests originate from 127.0.0.1 (localhost), eliminating external attack vectors. The requests are clustered within a narrow time window and follow a systematic pattern consistent with automated health checks or monitoring probes, not active exploitation or reconnaissance.

Threat Level: LOW — Consistent with legitimate health check behavior.