MEDIUM · omc

Indian Oil Corporation

admin.iocl.com exposed in CT; Sucuri WAF in front

iocl.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 8

Availability

HTTP 307

TLS

2026-08-12 · 60d

Headers

2 missing · 0 permissive

Email auth

SPF strict · DMARC quarantine

66

Security score

Watch

Headline findings

  • 01admin.iocl.com publicly visible in CT logs
  • 02Sucuri WAF fronts the origin (good)
  • 03CSP loose (upgrade-insecure-requests only)
  • 04Strict SPF (-all), DMARC p=quarantine — solid email auth

TLS security

pass

Issuer
GoDaddy.com, Inc.
Expires
2026-08-12(60d)

Email authentication

SPF
strict
DKIM
present
DMARC
quarantine

Hardening headers

4 / 0 / 2present/permissive/missing

  • HSTSpresent
  • CSPpresent
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • iocl.net76.223.54.146 (AWS Global Accelerator, third-party)

Public topology · CT logs

13 total · 1 sensitive

iocl.com
Admin
  • admin.iocl.com

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Given the June 2026 TLS rotation window and admin.iocl.com publicly enumerated in CT, what controls prevent DNS hijack or unauthorised CSR submission during renewal — and has the GoDaddy registrar account been audited for compromise?

Active fingerprints · per host

  • iocl.comEOL × 1

    Sucuri WAF + GoDaddy TLS + ASP.NET Core

    • Cert rotation in 45 days; Sucuri version not disclosed
  • admin.iocl.comEOL × 1

    cPanel/WHM control panel

    • Admin path publicly enumerated in CT logs

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: TLS rotation interception + subdomain takeover

effort days
detect low (bad)
Entry
Monitor WHOIS + CT for June 2026 renewal; submit unauthorised CSR or DNS hijack via registrar compromise.
Pivot
Valid TLS cert allows MITM on admin.iocl.com traffic through Sucuri WAF.
Objective
Intercept admin tokens; compromise dealer portal; exfiltrate customer data.
#2

Path B: F5 BIG-IP CVE-2025-53521 (if APM deployed in backend)

effort hours
detect medium
Entry
If F5 BIG-IP APM in stack: pre-auth RCE.
Pivot
RCE on F5 → extract auth tokens → cPanel admin compromise.
Objective
Arbitrary command execution; alter dealer locator; inject malware.
#2

Path D: Email spoofing + executive phishing

effort days
detect low (bad)
Entry
iocl.com SPF tight (-all); admin subdomain may lack SPF.
Pivot
Phishing from admin@iocl.com → CEO → procurement VPN, financials.
Objective
Executive credential theft; lateral move.
#3

Path C: Dealer portal SQL injection via locator.iocl.com

effort days
detect high (good)
Entry
Fuzz /locator/search?location=X for SQLi on unparameterised queries.
Pivot
Extract dealer DB creds, payment data via MSSQL backend.
Objective
Credential harvest from dealer network; supply-chain intel.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · TLS rotation interception + subdomain takeover
factor ~3× if registrar compromised; detection negligible if Let's Encrypt race condition
pre-AI
TLS rotation = known attack window (cf. Triton/TRISIS cert abuse)
Mythos
Pre-registration of attacker domain + DNS hijack during renewal — high-confidence state-level pattern
Path C · Dealer portal SQL injection via locator.iocl.com
factor ~2–5×; Sucuri blocks union-based, misses time-blind
pre-AI
Standard OWASP A1 SQLi on geospatial queries
Mythos
Dealer networks = soft underbelly; SQLi → credential harvest → lateral via dealer workstation (cf. Colonial Pipeline 2021)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    TLS rotation procedure audit + DNSSEC + CT monitoring

    Host
    iocl.com
    Fix
    Certificate pinning via HPKP. Enable DNSSEC. MFA-only registrar account. CT monitoring (certspotter). Rotate GoDaddy API keys.
    Owner
    Infrastructure / Security
    Validation
    dig +dnssec; CT log monitoring active
  • critical

    F5 BIG-IP CVE-2025-53521 patch (if applicable)

    Host
    iocl.com backend (if F5 APM)
    CVE
    CVE-2025-53521
    Fix
    Upgrade F5 BIG-IP to 17.5.1.3 / 17.1.3 / 16.1.6.1 / 15.1.10.8. CISA KEV deadline 2026-03-30.
    Owner
    Infrastructure / Network Ops
    Validation
    F5 version scan confirms patched
  • critical

    Restrict admin.iocl.com — IP allowlist + 2FA

    Host
    admin.iocl.com
    Fix
    Move admin off public DNS or IP-allowlist on WHM ports 2087/2083. Enforce 2FA. Key-based SSH only. Rotate admin SSH keys.
    Owner
    Infrastructure / SysAdmin
    Validation
    External admin.iocl.com unreachable; 2FA enforced

Tier 2 · within 30 days

  • high

    Dealer locator SQLi remediation

    Host
    locator.iocl.com
    CVE
    CWE-89
    Fix
    Parameterise queries. Allowlist input validation. Sucuri WAF SQLi rules. Rate-limit /locator/search.
    Owner
    Development / QA
    Validation
    sqlmap finds 0 injection points
  • high

    Email spoofing prevention — SPF on admin subdomain + DMARC p=reject

    Host
    iocl.com
    Fix
    Add explicit SPF for admin.iocl.com. DMARC parent policy p=reject. DKIM keys.
    Owner
    Email Security
    Validation
    mxtoolbox SPF/DMARC audit; spoofed mail bounces
  • high

    WordPress plugin security on news.iocl.com / wowstories.iocl.com

    Host
    news.iocl.com / wowstories.iocl.com
    CVE
    CVE-2025-8489
    Fix
    Audit plugins. King Addons → 51.1.35+. Admin-only registration. WAF block on /wp-admin/admin-ajax.php admin payloads.
    Owner
    Content Management
    Validation
    WPScan; registration admin-only

Tier 3 · within 90 days

  • medium

    HTTP security headers verification across iocl.com surface

    Host
    iocl.com
    Fix
    All 6 headers; OWASP ZAP scan; remove server banner.
    Owner
    Development
    Validation
    securityheaders.com returns A+

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.