HIGH · omc

Hindustan Petroleum Corporation Ltd

All 6 hardening headers missing; SPF ~all +a +mx (broad spoofing surface)

hindustanpetroleum.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 56

Availability

HTTP 200

TLS

2026-07-14 · 31d

Headers

1 missing · 1 permissive

Email auth

SPF missing · DMARC absent

46

Security score

Elevated

Headline findings

  • 01All 6 standard hardening headers missing (HTTP 200 confirmed by quality re-pass)
  • 02SPF includes +a +mx — broad spoofing surface from any A/MX record
  • 03DMARC p=quarantine, not p=reject
  • 04Cloudflare-fronted origin

TLS security

warn

Issuer
Google Trust Services
Expires
2026-07-14(31d)

certificate expires in 31 days

Email authentication

SPF
missing
DKIM
unknown
DMARC
absent

Hardening headers

4 / 1 / 1present/permissive/missing

  • HSTSmissing
  • CSPpermissive
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policypresent

Lookalike domains

  • hindustanpetroleum.co.in162.215.226.6 (Unified Layer, third-party)
  • hindustanpetroleum.co

    blocked by Airtel spam RPZ

Public topology · CT logs

0 total

No subdomains in CT logs — minimal external attack surface.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

HPCL's complete absence of HTTP hardening headers, broad SPF spoofing surface, and imminent July 2026 TLS rotation represent a critical convergence — what incident-response and forensic capabilities exist to detect and contain a sophisticated MITM attack initiated during the TLS renewal window?

Active fingerprints · per host

  • hindustanpetroleum.comEOL × 3

    Cloudflare + Google Trust Services TLS + ASP.NET Core; ALL 6 hardening headers MISSING

    • CRITICAL: 0/6 hardening headers present
    • SPF ~all +a +mx (broad spoofing surface)
    • TLS expires in 78 days
  • hpclapi.hindustanpetroleum.com / hpcladmin.hindustanpetroleum.comEOL × 1

    Admin/API endpoints (ASP.NET Core)

    • Admin endpoints publicly enumerated
  • lserver182-ind.hindustanpetroleum.comEOL × 1

    Shared cPanel/WHM hosting

    • Shared infrastructure; WHM 2087/2083 standard brute-force target

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Missing headers → clickjacking + MIME-sniffing polyglot RCE

effort hours
detect low (bad)
Entry
All 6 hardening headers missing. No nosniff = MIME sniffing exploitation. No X-Frame-Options = clickjacking. No CSP = unrestricted XSS.
Pivot
Transparent iframe overlay; user clicks attacker button → form intercept. SVG+XML polyglot upload → script execution on download.
Objective
Session hijack; payment theft; malware injection; pricing defacement.
#1

Path B: Email spoofing → executive phishing

effort days
detect low (bad)
Entry
SPF ~all with +a +mx — extremely broad.
Pivot
Phishing from ceo@hindustanpetroleum.com claiming urgent divestment/M&A.
Objective
Executive credential theft; insider threat; procurement fraud.
#2

Path C: cPanel/WHM brute force on lserver182-ind

effort hours
detect medium
Entry
lserver182-ind has WHM on 2087/2083. Username enum (hpcl, hpcl_wp, hpcl_shop). Brute force if rate limit absent.
Pivot
WHM compromise → FTP, webshell, lateral to other shared customers. If hpclapi/hpcladmin co-located, direct admin API access.
Objective
Webshell persistence; lateral move; API credential extraction.
#2

Path D: TLS rotation MITM (78 days)

effort days
detect low (bad)
Entry
Cert expires 2026-07-14. Monitor CT/WHOIS for renewal; registrar/DNS compromise → rogue cert.
Pivot
Valid cert allows MITM on hpclapi traffic; intercept API tokens; modify fuel pricing/inventory.
Objective
Supply-chain disruption; API MITM; customer data.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Missing headers → clickjacking + MIME-sniffing polyglot RCE
factor ~1× if only clickjacking; ~10× if MIME sniffing exploited
pre-AI
Missing headers = OWASP A04 standard hardening flaw
Mythos
Absence of all 6 headers indicates zero security review at HPCL. Polyglot SVG+XML upload yields client-side malware on every fuel-portal visitor — supply-chain vector for retail fuel pricing manipulation
Path B · Email spoofing → executive phishing
factor ~5× harder if DMARC p=reject; current state ≈ 1×
pre-AI
Broad SPF allows spoofing; state actors target energy executives
Mythos
SPF ~all +a +mx wide open + DMARC p=quarantine (not reject) → spoofed CEO emails land 30-40% of the time. SideCopy / WIZARD SPIDER pattern for Indian energy infra

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    HTTP security headers (CRITICAL — 0/6 currently present)

    Host
    hindustanpetroleum.com
    CVE
    CWE-345, CWE-79, CWE-441
    Fix
    Add all 6: HSTS, CSP, X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy.
    Owner
    Development
    Validation
    securityheaders.com returns A+; MIME sniffing test fails
  • critical

    Email spoofing prevention — SPF -all + DMARC p=reject

    Host
    hindustanpetroleum.com (email)
    Fix
    SPF ~all → -all; remove +a +mx broad includes. DMARC p=reject. DKIM. BIMI. Test hard-fail.
    Owner
    Email Security
    Validation
    mxtoolbox shows -all and p=reject; spoofed mail bounces
  • critical

    TLS rotation procedure (78 days to expiry)

    Host
    hindustanpetroleum.com
    Fix
    Initiate renewal NOW. DNSSEC. CT monitoring. Audit Google CA + MFA. HPKP. Registrar MFA.
    Owner
    Infrastructure
    Validation
    DNSSEC verified; CT monitoring; HPKP test
  • critical

    cPanel/WHM brute-force protection

    Host
    lserver182-ind.hindustanpetroleum.com
    Fix
    Rate-limit WHM 5 fails → 30 min lockout. Non-standard port. MFA TOTP/FIDO2. Key-based auth only. Audit default accounts.
    Owner
    Hosting / SysAdmin
    Validation
    Rate limit test fires; MFA enforced; WHM not externally reachable

Tier 2 · within 30 days

  • high

    ASP.NET cookie + session security — SameSite=Strict + CSRF

    Host
    hindustanpetroleum.com
    CVE
    CWE-352
    Fix
    SameSite=Strict (not Lax). Server-side CSRF token validation. [ValidateAntiForgeryToken]. CSP form-action 'self'.
    Owner
    Development
    Validation
    SameSite=Strict header; CSRF token enforced; PoC blocked
  • high

    API endpoint security on hpclapi

    Host
    hpclapi.hindustanpetroleum.com
    Fix
    Rate-limit 100 req/min/IP. API key auth. HMAC-SHA256 signing. Full request log. IP allowlist if internal-only.
    Owner
    Development / Security
    Validation
    API key required; rate limit fires; signing enforced
  • high

    Admin endpoint security on hpcladmin — internal IPs only

    Host
    hpcladmin.hindustanpetroleum.com
    Fix
    Internal IPs only (VPN + office). Cloudflare WAF IP control. MFA TOTP/FIDO2. Admin audit log. Re-auth on sensitive ops.
    Owner
    Infrastructure
    Validation
    External access blocked; MFA test passes

Tier 3 · within 90 days

  • medium

    Shared hosting risk assessment on lserver182-ind

    Host
    lserver182-ind.hindustanpetroleum.com
    Fix
    Audit other customers on same server. Migrate to dedicated server if possible. cPanel isolation: PHP open_basedir. Shell disabled for non-admin. Malware scan.
    Owner
    Hosting
    Validation
    Customer audit; isolation verified

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.