PROVISIONAL · upstream

Bharat PetroResources Limited

Canonical pending verification with BPCL parent; assumed canonical bprlindia.com had no DNS

bharatpetroresources.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 56

Availability

HTTP 200

TLS

2026-08-09 · 57d

Headers

6 missing · 0 permissive

Email auth

SPF missing · DMARC absent

Security score

Watch

Headline findings

01bprlindia.com (initial assumed canonical) returned no DNS A record
02bharatpetroresources.com (likely canonical) — Cloudflare front, LiteSpeed origin, scheduled-maintenance mode
03bharatpetroresources.in also live (ASP.NET stack) — needs verification: legitimate alternate or impersonation

Urgent · time-bound actions

30dConfirm canonical domain via BPCL parent or MoPNG annual report referencebefore public publication

TLS security

pass

Issuer: Google Trust Services
Expires: 2026-08-09(57d)

Email authentication

SPF

missing

DKIM

unknown

DMARC

absent

Hardening headers

0 / 0 / 6present/permissive/missing

HSTSmissing
CSPmissing
X-Framemissing
X-Content-Typemissing
Referrer-Policymissing
Permissions-Policymissing

Lookalike domains

No typosquats identified.

Public topology · CT logs

0 total

No subdomains in CT logs — minimal external attack surface.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Which domain is the canonical BPRL site — bharatpetroresources.com or bharatpetroresources.in — and what is the cert-renewal status given 44 days to expiry?

Active fingerprints · per host

bharatpetroresources.comEOL × 1
Cloudflare front + LiteSpeed origin with WordPress
- ⚠ Google TLS WE1 expires 2026-06-11 (~44 days remaining — URGENT renewal needed)
bharatpetroresources.inEOL × 1
ASP.NET (different stack; canonical ambiguity)
- ⚠ Separate domain — canonical not yet confirmed by BPCL parent

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

Path A: WordPress arbitrary file upload → RCE (CVE-2024-31210 if vulnerable)

effort hours

detect medium

Entry

If WordPress 6.0–6.4.2, plugin upload allows path-traversal file write. Authenticated user with upload capability.

→

Pivot

Upload .zip plugin; on FTP-creds prompt, file persists in Media Library; PHP shell uploaded.

→

Objective

RCE on WordPress; complete site compromise.

Path B: Cloudflare bypass → origin server attack

effort hours

detect low (bad)

Entry

Identify origin IP via DNS leaks or CT issuance trail; bypass Cloudflare WAF.

→

Pivot

Port-scan origin; exploit unpatched LiteSpeed or WordPress directly.

→

Objective

Direct DB and filesystem access without WAF interference.

Path C: Canonical-confusion attack across .com / .in

effort days

detect low (bad)

Entry

Two stacks (.com WordPress, .in ASP.NET) — attacker exploits ambiguity.

→

Pivot

Compromise weaker stack; phish .com users via .in 'official' content.

→

Objective

Cross-domain credential harvesting; supply-chain attack on partners.

Path D: TLS expiry MITM window (44 days)

effort

detect high (good)

Entry

Cert renewal not started; expiry approaches.

→

Pivot

During emergency recertification, attacker presents rogue cert.

→

Objective

MITM during emergency renewal; service disruption.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · WordPress arbitrary file upload → RCE (CVE-2024-31210 if vulnerable)

factor ~4–6×

pre-AI

WordPress RCE → site control + customer data + malware distribution to visitors

Mythos

PSU-branded site compromise; malware injected on partner portals; supply-chain vector (vendor docs trojaned with SideCopy RAT, sector-documented)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

critical
URGENT: Renew TLS cert before 2026-06-11 (44 days)
Host
bharatpetroresources.com
Fix
Start CSR generation today. Submit to Google Trust Services or Sectigo. 2-5 day turnaround. Install in Cloudflare → SSL/TLS → Origin Server.
Owner
BPRL IT / TLS Admin
Validation
openssl x509 -enddate shows notAfter > 2027-06
high
Confirm canonical domain with BPCL parent and resolve .com/.in ambiguity
Host
bharatpetroresources.com vs bharatpetroresources.in
Fix
BPRL leadership decides canonical. Implement 301 redirect on non-canonical. Audit .in (ASP.NET) for security controls; if not authorised, file impersonation complaint.
Owner
BPRL Leadership / IT Security
Validation
HTTP GET non-canonical returns 301 to canonical
critical
WordPress core to 6.4.3+ (or current) for CVE-2024-31210
Host
bharatpetroresources.com
CVE
CVE-2024-31210 (conditional on version)
Fix
WP CLI: wp core update. Disable plugin upload via wp-config: define('DISALLOW_FILE_MODS', true);
Owner
BPRL Web Admin
Validation
wp core version returns ≥ 6.4.3; plugin-upload UI absent

Tier 2 · within 30 days

high
Cloudflare origin protection + 'Always Use HTTPS'
Host
bharatpetroresources.com
Fix
Cloudflare → SSL/TLS → Always Use HTTPS ON. Origin firewall: only Cloudflare IP ranges accepted.
Owner
BPRL Cloud Ops
Validation
curl http:// redirects to https://; direct origin IP refused
high
Restrict admin-role accounts ≤ 2; enforce 2FA
Host
bharatpetroresources.com
CVE
CVE-2024-31210 mitigation
Fix
WP CLI: wp user list --role=administrator. Reduce to ≤ 2. Enforce 2FA via plugin (Wordfence / Two-Factor).
Owner
BPRL Web Admin
Validation
Admin count ≤ 2; 2FA required on each

Bharat PetroResources Limited

Path A: WordPress arbitrary file upload → RCE (CVE-2024-31210 if vulnerable)

Path B: Cloudflare bypass → origin server attack

Path C: Canonical-confusion attack across .com / .in

Path D: TLS expiry MITM window (44 days)

URGENT: Renew TLS cert before 2026-06-11 (44 days)

Confirm canonical domain with BPCL parent and resolve .com/.in ambiguity

WordPress core to 6.4.3+ (or current) for CVE-2024-31210

Cloudflare origin protection + 'Always Use HTTPS'

Restrict admin-role accounts ≤ 2; enforce 2FA