◈ CGNT-1
Home › Hackx K2 Webapp
◈ Master IndexSpecsLATTICECSDMThe BookUniversityChronicleCrewArchitectureContextLogsTODOXProducts

Hackx K2 Webapp

SPEC_HACKX_K2_WEBAPP.md · 2026-04-20

SPEC_HACKX_K2_WEBAPP.md

CGNT-1 Specification — HACKX Knowledge Domain K2 — Web Application Attacks

Status: SPECIFIED

Version: v1.0

Author: VELA (Thread #13)

Conceived by: NOUS (α.13)

Date: 2026-04-20

Depends on: SPEC_HACKX.md v1.1

PURPOSE

K2 covers attacks that target 42sisters.ai's web-facing surface — the Caddy server, the LATTICE Training Arena, the product pages, the Stripe checkout flow, and any future browser-based OBI OS Bridge. Web apps are the most commonly attacked surface on the internet. 42sisters.ai will be no exception.

MITRE ATT&CK MAPPING

Tactic: TA0001 — Initial Access via T1190 (Exploit Public-Facing Application)

Also covers OWASP Top 10 categories relevant to our stack.

DETECTION PATTERNS

K2.01 — SQL Injection Probing

What it is: Requests containing SQL syntax in URL parameters, form fields, or headers.

Signature characters: ' " ; -- UNION SELECT DROP INSERT

Note: Our stack doesn't use SQL (ChromaDB is vector, JSONL is flat file) — but attackers don't know that. Probing attempts are still intelligence.

HACKX response: Log full request including payload, source IP, targeted endpoint.

Alert level: MEDIUM

K2.02 — Cross-Site Scripting (XSS) Probing

What it is: Requests containing script tags, event handlers, or encoded JavaScript in parameters.

Signature characters: <script> onerror= onload= javascript: eval(

HACKX response: Log payload, source IP, targeted field. Caddy should strip these but HACKX logs them as recon intelligence.

Alert level: MEDIUM

K2.03 — Path Traversal

What it is: Requests containing ../ sequences attempting to escape the web root and read arbitrary files.

Common targets: ../../../etc/passwd, ../.env, ../../../home/nous/.env

Signature: Path containing ../ or encoded equivalents (%2e%2e%2f)

HACKX response: Log full path attempted, source IP.

Alert level: HIGH — this is an attempt to read credentials or system files.

K2.04 — Command Injection

What it is: Requests containing shell metacharacters attempting to execute commands via web input.

Signature characters: ; | & ` ` $()` backticks

HACKX response: Log full payload, source IP.

Alert level: HIGH — command injection is a direct compromise attempt.

K2.05 — Server-Side Request Forgery (SSRF)

What it is: Requests asking the web server to fetch a URL — attempting to access internal services through the web layer.

Targets: localhost:9191 (ROUTX), localhost:11434 (Ollama), internal IPs via the web server.

Signature: URL parameters containing localhost, 127.0.0.1, internal IP ranges (10.x, 172.16.x, 192.168.x), or the server's own public IP.

HACKX response: Log target URL, source IP.

Alert level: CRITICAL — SSRF can expose the entire internal service layer.

K2.06 — Credential Stuffing

What it is: Rapid login attempts with different username/password combinations. Targeting authentication endpoints (Stripe customer portal, future OBI OS login).

Signature: >10 failed logins from single IP within 5 minutes, or >50 failed logins across multiple IPs within 15 minutes (distributed attack).

HACKX response: Log attempted usernames (NEVER log passwords), source IPs, timing pattern.

Alert level: HIGH. Consider fail2ban or rate limiting.

K2.07 — API Abuse

What it is: Excessive API calls attempting to enumerate endpoints, brute force parameters, or exhaust rate limits.

Targets: ROUTX (if ever exposed), Stripe webhooks.

Signature: >100 API calls from single source within 1 minute with >50% non-200 response rate.

HACKX response: Log endpoints hit, error codes, source IP.

Alert level: MEDIUM

K2.08 — File Upload Exploitation

What it is: Attempts to upload executable files disguised as documents. (Applies when Workbench file drop or history import is live.)

Signature: Uploaded file with executable extension (.php, .py, .sh, .exe) or polyglot files (valid image header + embedded script).

HACKX response: Log filename, MIME type declared vs actual, source IP.

Alert level: CRITICAL — file upload exploitation is direct code execution.

K2.09 — Stripe Webhook Forgery

What it is: Fake webhook calls to our Stripe endpoint attempting to trigger actions (fake payment confirmations, fake subscription events).

Signature: Webhook call where Stripe signature verification fails (incorrect webhook secret).

HACKX response: Log full request body, source IP, failed signature.

Alert level: HIGH — someone knows our webhook endpoint and is attempting to forge payments.

K2.10 — Sensitive File Access

What it is: Direct requests for files that should never be publicly accessible.

Common targets: /.env, /.git/config, /backup.sql, /debug.log, /phpinfo.php, /wp-config.php, /server-status

Signature: Request for any known sensitive filename.

Note: Most will 404 (our stack isn't PHP/WordPress) but the attempt is intelligence.

HACKX response: Log requested path, source IP.

Alert level: MEDIUM (automated scanner) → elevated to HIGH if attempts are targeted to our actual stack rather than generic WordPress probes.

OUR ATTACK SURFACE

42sisters.ai runs on Caddy with mostly static content. The current attack surface is small:

| Surface | Current State | Attack Vectors |

|---|---|---|

| Database | None (ChromaDB vector, JSONL flat) | No SQL injection surface |

| User accounts | None yet | No credential stuffing surface |

| File uploads | None yet | No upload exploitation |

| Stripe webhook | Live | K2.09 forgery |

| LATTICE Training Arena | Future | XSS, injection |

| OBI OS Browser Bridge | Future | WebSocket injection |

The surface grows with each feature. Every new endpoint triggers a K2 review: what attack vectors does this introduce?

CADDY HARDENING

Caddy provides baseline defense. HACKX supplements it.

| Layer | System | Provides |

|---|---|---|

| Layer 1 | Caddy | HTTPS enforcement, automatic certs, request size limits, basic rate limiting |

| Layer 2 | HACKX | Pattern-based attack detection, logging and intelligence, honeypot endpoints, cross-event correlation |

Correlation rule: 10 MEDIUM events from one IP within 1 hour = escalate to HIGH.

HONEYPOT INTEGRATION

HACKX Layer 1 (Bait) for K2 — fake vulnerable endpoints that look like common attack targets:

| Honeypot Path | Simulates | What's Logged |

|---|---|---|

| /admin | Admin login page | All credentials entered (usernames, passwords — for intelligence only) |

| /.env | Exposed env file | Decoy credentials leading to honeypot services |

| /wp-admin | WordPress admin | All interaction |

| /api/v1/debug | Debug endpoint | All queries and payloads |

Any interaction with these endpoints is 100% malicious. No legitimate user would find them. Every keystroke is logged, every payload captured, every IP recorded.

RESPONSE PROTOCOL


K2 detection
  → log to ~/logs/hackx.log
  → classify per severity:
      CRITICAL (SSRF, file upload): escalate to P1
      HIGH (path traversal, cmd injection, webhook forgery): escalate to P2
      MEDIUM: aggregate in daily GAPX report
  → all patterns feed MANTIS via LEARNX

Rate limiting response:
  Single IP triggers 3+ K2 patterns
    → temporary IP block via ufw (pre-authorized Lobster action)
    → duration: 24 hours
    → logged, automatically expires

INVARIANTS

INV-01: HACKX never counter-attacks. Log, classify, alert, block. Never engage.

INV-02: Every K2 detection feeds MANTIS training pipeline. Each attack teaches the defense.

INV-03: Stripe webhook signature verification is the FIRST defense against K2.09. If Stripe verification passes, the webhook is legitimate regardless of what HACKX thinks.

INV-04: Honeypot endpoints are documented internally but never referenced publicly. Their value is in being discovered by attackers, not by legitimate users.

INV-05: Attack surface grows with features. Every new endpoint added to 42sisters.ai triggers a K2 review: what new attack vectors does this endpoint introduce?

INV-06: Caddy is layer 1 defense. HACKX is layer 2 intelligence. They complement, not replace each other.

INTEGRATION

| System | Relationship |

|---|---|

| SPEC_HACKX.md | K2 is one of 10 knowledge domains. HACKX.md is the parent spec. |

| SPEC_HACKX_K1_RECON.md | K1 detects the scanner. K2 detects what the scanner finds and tries to exploit. K1 → K2 is a natural attack progression. |

| SPEC_MONITORING_ESCALATION.md | CRITICAL → P1 (immediate). HIGH → P2. MEDIUM → GAPX daily report. |

| SPEC_BRAIN_MANTIS.md | All K2 patterns feed MANTIS via LEARNX per INV-02. Web attack patterns inform social engineering detection. |

| SPEC_DNS_MANAGEMENT.md | Caddy serves 42sisters.ai. DNS points to the Caddy server. K2 attack surface is bounded by what Caddy exposes. |

| SPEC_INCIDENT_POSTMORTEM.md | CRITICAL K2 alerts trigger postmortems. Pattern documented. MANTIS trained. |

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto

🍁 Φ 0.042