HIGH · omc

Bharat Petroleum Corporation Ltd

Test/QA environments named in CT (adfstest, qa.convenience, qa.speed)

bharatpetroleum.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 0

Availability

HTTP 404

TLS

2026-11-24 · 164d

Headers

tracked set present

Email auth

SPF soft · DMARC reject

44

Security score

Elevated

Headline findings

  • 01ADFS test endpoint exposed in CT logs (adfstest.bharatpetroleum.in)
  • 02QA convenience and speed-store environments named publicly
  • 03Loose SPF (~all)
  • 04Cloudflare 403 prevents external header verification — Phase 2 active scan needed

TLS security

pass

Issuer
Amazon
Expires
2026-11-24(164d)

Email authentication

SPF
soft
DKIM
present
DMARC
reject

Hardening headers

6 / 0 / 0present/permissive/missing

  • HSTSpresent
  • CSPpresent
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policypresent

Lookalike domains

  • bharatpetroleum.co.in52.66.101.246 (AWS EC2, third-party)
  • bharatpetroleum.net76.223.67.189 (AWS, third-party)

Public topology · CT logs

30 total · 3 sensitive

bharatpetroleum.in
Authentication
  • adfstest.bharatpetroleum.in
Dev / Test / UAT
  • qa.convenience.bharatpetroleum.in
  • qa.speed.bharatpetroleum.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

With adfstest, qa.convenience, and qa.speed publicly enumerated and likely running weaker security, what controls prevent QA-environment compromise from pivoting to production — and are test credentials cleanly isolated from production databases?

Active fingerprints · per host

  • bharatpetroleum.inEOL × 2

    Cloudflare WAF + DigiCert TLS + Microsoft stack (ADFS, Teams, Exchange)

    • External header analysis blocked by Cloudflare 403
    • ADFS publicly enumerated
  • adfstest.bharatpetroleum.in / qa.convenience.bharatpetroleum.in / qa.speed.bharatpetroleum.inEOL × 1

    Test/QA Microsoft infrastructure

    • Test environments expose architecture; credentials often reused from prod

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: ADFS brute force + credential spray

effort days
detect medium
Entry
adfs.bharatpetroleum.in form-based login enables user enumeration via error messages.
Pivot
Username list + spray (breached lists, SIM swap). MFA bypass if SMS-based.
Objective
Email, VPN (rpad, connectbpc), procurement-dashboard access.
#1

Path B: QA environment exploitation → production pivot

effort days
detect low (bad)
Entry
adfstest, qa.convenience, qa.speed have weaker controls (default creds, disabled auth, permissive CORS common in QA).
Pivot
QA ADFS access → test user DB → spray production ADFS. QA portals may carry embedded API keys.
Objective
Credential harvest; lateral move to prod with months of dwell time.
#2

Path C: Citrix NetScaler pre-auth RCE (if rpad/connectbpc on NetScaler)

effort hours
detect high (good)
Entry
rpad / connectbpc endpoints suggest Citrix NetScaler. CVE-2025-7775 + CVE-2025-5777.
Pivot
RCE on NetScaler; memory leak → session token extraction.
Objective
Lateral move to production; fuel-procurement access.
#2

Path D: Email spoofing → executive phishing

effort days
detect low (bad)
Entry
SPF ~all soft-fail.
Pivot
Phishing from cfo@ claiming urgent procurement; lure to qa.speed-hosted phishing.
Objective
Executive credential theft; procurement fraud.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · ADFS brute force + credential spray
factor ~3× weak password; 10× SMS MFA; near-invisible if leaked VPN creds used
pre-AI
ADFS brute force standard; user enum via Kerberos error codes
Mythos
BPCL CMDs are state-espionage targets; ADFS is gateway to email + VPN; spraying breached creds from peer energy companies is high-ROI for foreign intelligence
Path B · QA environment exploitation → production pivot
factor ~5× isolated QA; 1× if shared service accounts; 10× if QA→Prod deployment pipeline
pre-AI
QA compromise textbook; default creds, data replication
Mythos
Test envs are forgotten frontier; adfstest likely manages prod-equivalent service accounts; QA DBs reverse-identifiable; production pivot with months undetected

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    ADFS pre-auth hardening — disable form-based external login

    Host
    adfs.bharatpetroleum.in
    Fix
    Disable form-based external login (Kerberos only). IP allowlist /adfs/ls/. Lockout 5 fails → 15 min. MFA TOTP/FIDO2.
    Owner
    BPCL IAM
    Validation
    External form login blocked; lockout fires; MFA enforced
  • critical

    Citrix NetScaler patches CVE-2025-7775 + CVE-2025-5777

    Host
    rpad / connectbpc (if NetScaler)
    CVE
    CVE-2025-7775, CVE-2025-5777
    Fix
    Patch NetScaler to current build. TLS ≥ 1.2 enforced. Strong ciphers only.
    Owner
    Infrastructure / Network Ops
    Validation
    NetScaler version ≥ patched build
  • critical

    QA / test environment segregation

    Host
    adfstest / qa.convenience / qa.speed
    Fix
    Dedicated QA service accounts (no prod reuse). Network isolation. Rotate all QA passwords. IP allowlist (developer IPs). Re-auth required for QA→Prod calls.
    Owner
    Infrastructure / DevOps
    Validation
    AD audit confirms no shared service accounts; QA on isolated subnet
  • critical

    Email spoofing prevention — SPF -all + DMARC p=reject

    Host
    bharatpetroleum.in (email)
    Fix
    SPF ~all → -all. DMARC p=reject. DKIM. BIMI. Explicit SPF for mail subdomains.
    Owner
    Email Security
    Validation
    mxtoolbox shows -all; DMARC p=reject

Tier 2 · within 30 days

  • high

    Convenience portal SQLi remediation

    Host
    convenience.bharatpetroleum.in
    CVE
    CWE-89
    Fix
    Parameterise queries. Cloudflare WAF SQLi rules. Data-integrity checks. API auth required.
    Owner
    Development
    Validation
    sqlmap finds 0 injection; WAF blocks SQLi PoC
  • high

    Remote-access VPN — MFA + protocol audit

    Host
    rpad / connectvc / connectbpc
    Fix
    MFA TOTP/FIDO2. Disable legacy protocols. Split-tunnel restrictions. 8-hour idle timeout. Geographic anomaly alerts.
    Owner
    Network Security
    Validation
    MFA enforced; protocol audit clean; geolocation alerts active

Tier 3 · within 90 days

  • medium

    Subdomain enumeration audit on 30+ subdomains

    Host
    bharatpetroleum.in
    Fix
    Inventory all subdomains. Verify each is authorised. Decommission unused. DNS integrity monitoring.
    Owner
    Infrastructure
    Validation
    Official subdomain register; monthly CT audit

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.