NIGHTFALL — TOOL 72 — SPECTER PLATFORM

SPECTER PLATFORM

LLM Application Platform Exploitation Engine

Eight subsystems targeting the five most deployed LLM application platforms. API key harvest, workflow injection, RAG cross-tenant data exfiltration, JWT forgery, gateway reroute, and agent orchestration attacks — all under a three-tier UNLEASHED clearance gate with SHA-256 append-only evidence chain and Ed25519-signed reports.

Subsystems

Attack Categories

Target Platforms

367

Tests

NIGHTFALL Framework Documentation

Target Coverage

Five Platform Targets

SPECTER PLATFORM ships with purpose-built adapters for the five most widely deployed LLM application platforms. Each adapter fingerprints the target, enumerates its attack surface, and selects platform-specific probes. Two platforms carry confirmed CVEs.

DIFY

CVE-2026-34082

Workflow node injection, model provider key exposure, sandbox escape via code execution subsystem. Console API unauthenticated enumeration.

MAXKB

CVE-2026-39426

Knowledge base IDOR, cross-tenant document retrieval, admin endpoint access without auth, dataset enumeration via predictable IDs.

OPEN WEBUI

Memory injection API, tool hijacking via unauthenticated tool creation, RAG pipeline cross-user boundary traversal, OIDC config exposure.

LIBRECHAT

Assistant enumeration, action endpoint reachability, gateway configuration exposure, API key harvest from model provider settings.

ANYTHINGLLM

Workspace slug enumeration, agent invocation without auth, document upload SSRF, model settings endpoint key exposure.

Architecture

Eight Subsystems

Each subsystem operates as an independent probe module. SURVEY and ASH are always active. INJECT and DESTROY clearance subsystems require explicit gate authorisation. All subsystems append to the shared SHA-256 evidence chain before returning findings.

SURVEY

FORGE

Platform fingerprinting. Identifies target (Dify/MaxKB/LibreChat/OpenWebUI/AnythingLLM), version, exposed endpoints, auth posture, and plugin surface. Always runs — no gate required.

VAULT

FORGE

API key and credential harvest. Probes model provider endpoints, settings APIs, and environment leakage paths for exposed LLM API keys. Passive enumeration only.

WORKFLOW

INJECT

Workflow enumeration and injection. Lists Dify workflows, attempts node parameter injection, tests sandbox escape via code execution subsystem. INJECT gate for active probes.

RAGPOISON

INJECT

RAG pipeline attacks. Cross-tenant document retrieval via IDOR, CSV injection via upload, XXE via XML document parser, poisoned embedding injection. INJECT gate for document probes.

WORKSPACE

INJECT

Workspace privilege escalation. JWT algorithm confusion (alg:none), weak secret brute-force, IDOR on member endpoints, invitation token abuse. INJECT gate for JWT probes.

GATEWAY

DESTROY

Model gateway manipulation. Model provider settings enumeration, gateway URL reroute to attacker-controlled endpoint, key interception in transit. DESTROY gate for reroute probes.

ORCHESTRATOR

INJECT

Agent orchestration layer attacks. Tool enumeration, memory corruption via context injection, tool call hijacking via malicious tool definition. INJECT gate for active attacks.

ASH

FORGE

Report generation and evidence finalisation. Aggregates all findings, computes compliance coverage, generates Ed25519-signed JSON report, finalises evidence chain hash.

Attack Coverage

Seven Attack Categories

Every finding is classified by attack category, mapped to OWASP LLM Top 10 and MITRE ATLAS, and annotated with the clearance level required to trigger it.

API_KEY_HARVEST

Extract LLM API keys from model provider endpoints, settings APIs, and environment leakage paths.

WORKFLOW_INJECT

Inject malicious parameters into workflow nodes. Trigger sandbox escape via code execution subsystem.

RAG_CROSS_TENANT

Retrieve documents belonging to other tenants via IDOR. Inject poisoned content into shared knowledge bases.

WORKSPACE_ESCALATION

Escalate privileges via JWT algorithm confusion, weak secret forge, and IDOR on workspace member endpoints.

GATEWAY_REROUTE

Redirect model inference calls to attacker-controlled endpoints. Intercept API keys in transit.

DOCUMENT_EXEC

Exploit document parser vulnerabilities — XXE via XML upload, CSV formula injection, SSRF via embedded URLs.

AUTH_BYPASS

Bypass authentication via JWT alg:none, OIDC misconfiguration, session fixation, and unauthenticated admin endpoint access.

UNLEASHED Gate System

Three-Tier Clearance

Every finding carries a clearance annotation. FORGE probes run passively on any scan. INJECT and DESTROY attacks require explicit authorisation flags — preventing accidental execution of active exploit chains during recon phases.

■ FORGE

No gate — always permitted

Passive enumeration, fingerprinting, and API discovery. Safe to run on any authorised target. SURVEY, VAULT, and ASH operate at FORGE clearance.

■ INJECT

--override + UNLEASHED key required

Active injection attacks: workflow node injection, memory corruption, JWT forgery, RAG document poisoning, tool hijacking. Requires explicit operator authorisation.

■ DESTROY

--override + --confirm-destroy + UNLEASHED key

Destructive configuration changes: model gateway reroute, settings overwrite, persistent backdoor establishment. Triple-gate — all three conditions must be met.

# FORGE — passive scan, no gate
$ specter-platform scan https://dify.example.com

# INJECT — active probes enabled
$ specter-platform scan https://dify.example.com --override

# DESTROY — full engagement including gateway reroute
$ specter-platform scan https://dify.example.com --override --confirm-destroy

# Target a specific platform
$ specter-platform scan https://maxkb.example.com --platform maxkb

# Platform survey only
$ specter-platform survey https://openwebui.example.com

# VAULT — API key harvest only
$ specter-platform vault https://librechat.example.com

# JSON output + save report
$ specter-platform scan https://dify.example.com --json --output report.json

Evidence & Reporting

SHA-256 Evidence Chain

Every probe appends to a tamper-evident SHA-256 hash chain. Each entry includes a timestamp, event type, structured data payload, and the hash of the previous entry. Chain integrity verification runs before the report is finalised. Findings are Ed25519 signed for legal defensibility.

🔗

SHA-256 Chain

Append-only hash chain. Each entry links to the previous. Tamper detection via verify_integrity() check.

🔑

Ed25519 Signing

Reports signed with Ed25519 private key. Signature verifiable offline against public key without network access.

📄

JSON Reports

Structured JSON output with findings, chain export, integrity status, compliance mapping, and scan metadata.

⛏

CVE References

Findings linked to CVE-2026-34082 (Dify) and CVE-2026-39426 (MaxKB) where applicable.

Compliance Mapping

Mapped to OWASP & MITRE ATLAS

Every finding includes references to OWASP LLM Top 10 and MITRE ATLAS TTPs. The ASH subsystem aggregates all mappings into the final report's compliance section.

OWASP LLM TOP 10

LLM01 — Prompt Injection
LLM02 — Insecure Output
LLM04 — Data/Model Poisoning
LLM06 — Sensitive Info Disclosure
LLM07 — Insecure Plugin Design
LLM09 — Overreliance

MITRE ATLAS

AML.T0012 — Valid Accounts
AML.T0035 — ML Model Inference
AML.T0040 — ML Supply Chain
AML.T0043 — Craft Adv. Data
AML.T0051 — LLM Plugin
AML.T0054 — LLM Jailbreak

OWASP ASVS

A02:2021 — Cryptographic Failures
A03:2021 — Injection
A04:2021 — Insecure Design
A07:2021 — Auth Failures
A08:2021 — Data Integrity

CVE REFERENCES

CVE-2026-34082
Dify workflow node injection
CVE-2026-39426
MaxKB knowledge base IDOR