x.ai Infrastructure Mapping: Segmented Architecture & WAF Defense#

Overview#

Active reconnaissance of x.ai’s subdomain infrastructure reveals a deliberately segmented architecture designed to isolate web-facing endpoints from backend services. This report documents the infrastructure topology discovered during Phase 4 active probing.

Subdomain Topology#

Live Endpoints#

console.x.ai (307 Redirect)

  • Authentication-protected console interface
  • Redirects unauthenticated traffic to /home path
  • Cloudflare-protected with CF-RAY headers
  • Likely Next.js-based application

api.x.ai (421 Misdirected Request)

  • Backend API infrastructure on Envoy WASM ingress
  • Responds with “prod-ic-ingress-fallback” identifier
  • SNI mismatch suggests intentional routing segregation
  • Not directly accessible from public internet

auth.x.ai & status.x.ai (403 Forbidden)

  • Cloudflare WAF actively blocking access
  • DNS-configured but intentionally restricted at edge
  • Returns 403 rather than timeout—endpoints exist and respond

docs.x.ai (308 Permanent Redirect)

  • Self-referential redirect loop
  • Either misconfigured or deliberately access-restricted
  • Suggests documentation portal exists but is inaccessible

Non-Existent Subdomains#

The following subdomains do not resolve (NXDOMAIN):

  • chat.x.ai, login.x.ai, register.x.ai
  • oauth.x.ai, account.x.ai, settings.x.ai
  • profile.x.ai, api-keys.x.ai, credentials.x.ai
  • dashboard.x.ai, widget.x.ai, embed.x.ai
  • help.x.ai, support.x.ai

This pattern suggests x.ai deliberately avoids DNS entries for common attack-surface subdomains, reducing enumeration value from wildcard certificate transparency analysis.

Infrastructure Architecture#

Web Tier#

  • Main site (x.ai) behind Cloudflare WAF
  • console.x.ai authenticated application
  • Browser User-Agent requirement indicates anti-bot protection

Backend Tier#

  • api.x.ai on Envoy WASM ingress (“prod-ic-ingress-fallback”)
  • WASM-based security module indicates advanced proxying
  • Separate from web tier—not directly internet-routable

Protection Layer#

  • Cloudflare edge protection with aggressive filtering
  • WAF rules block non-standard requests
  • Some subdomains entirely blocked (403)
  • No verbose error messages or information disclosure

Defense Posture#

Strengths:

  • Intentional DNS restriction (no unnecessary subdomains)
  • Segmented infrastructure (web ≠ backend)
  • No exposed credentials or API keys in HTTP headers
  • Clean error responses without information leakage
  • Advanced proxy infrastructure (Envoy WASM)

Observations:

  • docs.x.ai redirect loop may indicate misconfiguration or intentional blocking
  • api.x.ai 421 response could be tested for header manipulation responses
  • Unauthenticated redirect patterns on console.x.ai worth monitoring for information leakage

Implications for Reconnaissance#

  1. Certificate Transparency — Limited value due to deliberate NXDOMAIN strategy
  2. JavaScript Analysis — Main vector for API endpoint discovery
  3. Historical Data — Wayback Machine snapshots could reveal deprecated endpoints
  4. WAF Bypass — Standard techniques likely ineffective; infrastructure highly defended

Conclusion#

x.ai’s infrastructure demonstrates thoughtful defense-in-depth architecture. The organization has eliminated low-hanging reconnaissance fruit through careful DNS management, deployed advanced proxy infrastructure on the backend, and implemented aggressive edge protection. No obvious vulnerabilities emerge from passive or initial active reconnaissance.

Further testing would require either authentication bypass attempts, WAF evasion techniques, or API reverse engineering from client-side JavaScript.