MEDIUM · upstream

Oil and Natural Gas Corporation

SPF entirely missing; DMARC absent; weak CSP

ongcindia.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 94

Availability

request timed out

TLS

unknown

Headers

6 missing · 0 permissive

Email auth

SPF missing · DMARC absent

56

Security score

Watch

Headline findings

  • 01SPF entirely missing — anyone can spoof @ongcindia.com
  • 02DMARC absent
  • 03CSP weak (upgrade-insecure-requests only)
  • 04Liferay Portal stack visible (JSESSIONID/COOKIE_SUPPORT)

TLS security

unknown

Issuer
Unavailable

TLS connection timed out

Email authentication

SPF
missing
DKIM
unknown
DMARC
absent

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • ongcindia.co.in185.53.177.29 (Everdata/CDN, third-party owned)

Public topology · CT logs

2 total

2 subdomains in CT logs; no sensitive categories flagged.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Is unauthenticated access to Liferay workflow APIs blocked, and is the workflow component patched against CVE-2024-38002 — the highest-confidence attack path against ongcindia.com today?

Active fingerprints · per host

  • www.ongcindia.comEOL × 1

    Liferay Portal 7.x (exact version not exposed)

    • Liferay version concealed; CVE-2024-38002 applies if 7.4.x ≤ 7.4.3.111

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Liferay Workflow RCE (CVE-2024-38002)

effort hours
detect medium
Entry
Authenticated user crafts workflow definition upload via /api/jsonws/workflow.workflow* endpoints; no permission check on workflow editor.
Pivot
Upload via workflow API; achieves RCE as Liferay app server user.
Objective
RCE; lateral movement to backend systems; database access.
#2

Path B: Liferay Layout SEO CSRF → RCE (CVE-2023-35030)

effort hours
detect medium
Entry
CSRF via malicious link to authenticated Liferay admin; no SameSite cookie observed.
Pivot
backURL parameter points to scripting console; admin click executes attacker Groovy script.
Objective
RCE in admin context.
#3

Path C: Ransomware staging via admin password spray

effort days
detect low (bad)
Entry
Weak admin creds or password spray on /c/portal/login; credential dumps from prior breaches.
Pivot
Admin compromise → webshell via document library or Groovy console.
Objective
Foothold for ransomware/data exfil (Qilin/Akira Q4 2025 energy targeting pattern).

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Liferay Workflow RCE (CVE-2024-38002)
factor ~5–7× (refinery IT-OT entanglement; 2022 Oil India ransomware took 5 days to fully resolve)
pre-AI
Workflow RCE → app user execution → DB access, lateral to ICS/SCADA
Mythos
Workflow edit becomes pivot to operational technology; refinery operations interruptible; sector-wide cascade risk
Path B · Liferay Layout SEO CSRF → RCE (CVE-2023-35030)
factor ~2–3×
pre-AI
Admin CSRF + scripting console → app-level privilege escalation
Mythos
No new capability; eliminates password attack

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Liferay Workflow RCE (CVE-2024-38002) — patch to 7.4.3.112+

    Host
    www.ongcindia.com
    CVE
    CVE-2024-38002
    Fix
    Upgrade Liferay to 7.4.3.112+ or backport. If on 7.3 LTS upgrade to 7.3.10.21+. Validate workflow API requires admin permission post-patch.
    Owner
    ONGC Infrastructure / Liferay Ops
    Validation
    curl /api/jsonws/workflow.workflow/get-workflows returns 401/403 without auth
  • critical

    Liferay Layout CSRF (CVE-2023-35030)

    Host
    www.ongcindia.com
    CVE
    CVE-2023-35030
    Fix
    Liferay 7.4.3.77+. Enable SameSite=Strict on session cookies.
    Owner
    ONGC Infrastructure
    Validation
    Set-Cookie header shows SameSite=Strict

Tier 2 · within 30 days

  • high

    MFA on all Liferay admin accounts

    Host
    www.ongcindia.com
    Fix
    Liferay → Control Panel → Security → enable TOTP/hardware key for Administrator role.
    Owner
    ONGC IAM
    Validation
    Admin login without MFA rejected
  • high

    DMARC p=reject + SPF audit (currently DMARC absent)

    Host
    ongcindia.com (email)
    Fix
    Publish DMARC p=reject. SPF: explicit includes for actual mail infrastructure. DKIM signing.
    Owner
    ONGC IT / Email Security
    Validation
    dig _dmarc.ongcindia.com returns p=reject

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.