MEDIUM · gas

GAIL India

CSP unsafe-inline + unsafe-eval (XSS surface); otherwise strong

gailonline.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 20

Availability

HTTP 200

TLS

2026-07-27 · 44d

Headers

0 missing · 1 permissive

Email auth

SPF strict · DMARC reject

70

Security score

Watch

Headline findings

  • 01CSP includes unsafe-inline AND unsafe-eval in script-src — significant XSS surface
  • 02Otherwise solid: HSTS, p=reject DMARC, tight SPF
  • 03Apache backend, 2 subdomains only — minimal CT footprint

TLS security

warn

Issuer
eMudhra Technologies Limited
Expires
2026-07-27(44d)

certificate expires in 44 days

Email authentication

SPF
strict
DKIM
present
DMARC
reject

Hardening headers

5 / 1 / 0present/permissive/missing

  • HSTSpresent
  • CSPpermissive
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policypresent

Lookalike domains

  • gailonline.net192.64.119.199 (third-party)

Public topology · CT logs

2 total

2 subdomains in CT logs; no sensitive categories flagged.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Can GAIL eliminate unsafe-inline/unsafe-eval from CSP before the next XSS injection is discovered in a public form field?

Active fingerprints · per host

  • gailonline.comEOL × 1

    Apache (no version disclosure)

    • CSP unsafe-inline + unsafe-eval (script-src) — XSS surface

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: CSP bypass → stored XSS → admin token theft

effort hours
detect medium
Entry
Inject <script> via form field; unsafe-inline + unsafe-eval allow execution.
Pivot
Token harvesting from localStorage / session storage; admin impersonation.
Objective
Site malware injection; admin account loss; sensitive data exfil.
#2

Path B: Spear-phishing with sector-themed lure

effort days
detect medium
Entry
Craft spoofed energy-sector policy memo (GAIL/NRL/MRPL letterhead).
Pivot
Email executive with .lnk → attacker-hosted .exe (SideCopy TTP). RAT deployment.
Objective
Supply-chain compromise via trusted internal communications.
#3

Path C: Refinery-contractor email phishing

effort days
detect medium
Entry
Phish refinery contractor mailboxes with sector-themed lure.
Pivot
C2 beaconing + credential harvesting.
Objective
Lateral move via supply chain.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · CSP bypass → stored XSS → admin token theft
factor ~2–3×
pre-AI
CSP misconfiguration → stored XSS → admin access loss + sensitive data exfil
Mythos
AI-augmented attacker chains XSS payload mutation with token-harvesting playbook
Path B · Spear-phishing with sector-themed lure
factor ~3–5×
pre-AI
Manual lure crafting + RAT deployment
Mythos
Lure document generation accelerated; supply-chain compromise compressed

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Tighten CSP — remove unsafe-inline and unsafe-eval from script-src

    Host
    gailonline.com
    Fix
    Use nonce-based CSP for inline scripts. Audit templates for inline event handlers; migrate to external files.
    Owner
    Web / Frontend Engineering
    Validation
    curl -i shows CSP without unsafe-inline/eval
  • high

    Audit form fields and AJAX endpoints for injection points; deploy WAF rule

    Host
    gailonline.com
    Fix
    Pen-test form inputs. Cloudflare/ModSecurity rule: block <script>, <iframe>, on*= patterns.
    Owner
    Security / WAF
    Validation
    <img src=x onerror=alert(1)> payload returns 403

Tier 2 · within 30 days

  • high

    Subresource Integrity (SRI) on all CDN-hosted scripts

    Host
    gailonline.com
    Fix
    Add integrity=sha384-... attributes on external <script src> tags.
    Owner
    Frontend Engineering
    Validation
    All external scripts have SRI hash attributes
  • high

    SIEM / EDR monitoring for suspicious document opens

    Host
    GAIL endpoints
    Fix
    Monitor Office macro execution and .lnk launches. Pilot 50-100 endpoints.
    Owner
    SOC / EDR
    Validation
    EDR logs show exec block on suspicious file types
  • high

    Email attachment filtering — block .lnk, .exe, .ps1, macro Office

    Host
    GAIL email infrastructure
    Fix
    Mail gateway: block these extensions. Warn on external sender. Quarantine if exec content.
    Owner
    Email Security
    Validation
    Test .lnk attachment quarantined

Tier 3 · within 90 days

  • medium

    Service-account credential rotation; reduce session TTL

    Host
    gailonline.com
    Fix
    Rotate all web-app service account creds. Audit token expiry; reduce to <4 h for sensitive ops.
    Owner
    App Security
    Validation
    Application logs show session TTL < 4 h for sensitive ops

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.