HIGH · regulator

Petroleum Planning & Analysis Cell

DMARC absent + 6/6 hardening headers missing + permissive CSP

ppac.gov.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 18

Availability

HTTP 200

TLS

2026-12-18 · 188d

Headers

0 missing · 1 permissive

Email auth

SPF soft · DMARC absent

42

Security score

Elevated

Headline findings

  • 01DMARC entirely absent — major spoofing surface for tender / pricing-circular impersonation
  • 02All 6 standard hardening headers missing
  • 03CSP present but permissive (unsafe-inline)
  • 04CodeIgniter framework visible (set-cookie ci_session)

TLS security

pass

Issuer
Sectigo Limited
Expires
2026-12-18(188d)

Email authentication

SPF
soft
DKIM
unknown
DMARC
absent

Hardening headers

5 / 1 / 0present/permissive/missing

  • HSTSpresent
  • CSPpermissive
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policypresent

Lookalike domains

  • ppac.gov.com50.16.218.27 (AWS — typosquat cluster)
  • ppac.gov.org50.16.218.27 (AWS — typosquat cluster)

Public topology · CT logs

2 total

2 subdomains in CT logs; no sensitive categories flagged.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

What CodeIgniter version is PPAC running today, and if it is 3.x (EOL since 2022), who owns the migration plan to a supported framework?

Active fingerprints · per host

  • ppac.gov.inEOL × 1

    CodeIgniter (ci_session cookie visible) + PHP, Sectigo DV TLS

    • CodeIgniter 3 EOL since 2022 (if running 3.x); CodeIgniter 4.x watch CVE-2025-54418
  • data.ppac.gov.in

    Java backend with JSESSIONID, /PPAC/index path

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: CodeIgniter version confirmation → unpatched RCE chain

effort hours
detect low (bad)
Entry
ci_session cookie confirms CodeIgniter framework. Version not exposed; if 3.x (EOL since 2022), multiple unpatched RCE routes via PHP object injection / file upload.
Pivot
Craft serialised PHP object with gadget chain; trigger via form submission. /uploads directory enumeration.
Objective
RCE, read DB credentials, exfiltrate data.ppac.gov.in contents.
#2

Path B: Missing hardening headers → reflected XSS + clickjacking

effort hours
detect low (bad)
Entry
All 6 hardening headers missing on apex; CSP present but permissive (unsafe-inline).
Pivot
Inject reflected XSS via query params; frame in iframe overlay for clickjacking.
Objective
Harvest session cookies, redirect to phishing, persistent XSS via stored injection.
#2

Path C: DMARC absence + soft-fail SPF → email spoofing for inter-ministry impersonation

effort hours
detect low (bad)
Entry
DMARC entirely absent; SPF soft-fail. Attacker sends from ppac@ppac.gov.in to MoPNG/PNGRB staff.
Pivot
Phishing email with regulatory-traffic plausibility (PPAC is the canonical petroleum-data org).
Objective
Credential harvest, lateral movement via inter-ministry trust.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · CodeIgniter version confirmation → unpatched RCE chain
factor ~5×
pre-AI
5 hours (CodeIgniter vuln research + gadget chain + serialised payload + upload fuzzing)
Mythos
1 hour (pre-cached CI3 RCE library, automated gadget generation)
Path B · Missing hardening headers → reflected XSS + clickjacking
factor ~6×
pre-AI
3 hours (XSS payload + CSP-bypass research + clickjacking setup)
Mythos
30 min (mutation, CSP-safe encoding, iframe templates)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Confirm CodeIgniter version; if 3.x, plan migration to 4.6.2+

    Host
    ppac.gov.in
    CVE
    CVE-2025-54418 if 4.x ImageMagick handler enabled; multiple unpatched if 3.x
    Fix
    grep CI_VERSION in source. CI3 → migrate to CI 4.6.2+. Major version: audit all controllers/routes/models. Until migrated, deploy WAF rules blocking CI3 RCE patterns (unserialization, file inclusion).
    Owner
    Application Development
    Validation
    composer show codeigniter/framework | grep 4.6.2; unit tests pass
  • critical

    Deploy all 6 hardening headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)

    Host
    ppac.gov.in
    Fix
    Configure in Nginx/Apache or PHP header() calls. CSP: default-src 'self'; script-src 'self' 'nonce-{random}'; object-src 'none'.
    Owner
    Infrastructure / Security
    Validation
    securityheaders.com scan returns A or A+
  • critical

    Remove unsafe-inline from CSP; nonce-based execution

    Host
    ppac.gov.in
    Fix
    Generate per-request nonce (32 bytes, base64). Update all inline <script> tags. Test with Report-Only header before enforcement.
    Owner
    Frontend / Security
    Validation
    Page source shows nonces; injected scripts without nonce blocked
  • critical

    Publish DMARC p=reject; harden SPF

    Host
    ppac.gov.in (email)
    Fix
    DMARC: 'v=DMARC1; p=reject; rua=mailto:security@ppac.gov.in; fo=1'. SPF: explicit 'v=spf1 include:mgovcloud.in -all'.
    Owner
    IT / Email Security
    Validation
    dig +short TXT _dmarc.ppac.gov.in returns p=reject; spoofed mail bounces

Tier 2 · within 30 days

  • high

    Audit file uploads; move upload directory outside web root

    Host
    ppac.gov.in
    Fix
    Move /uploads outside web root. Disable script execution. Magic-byte file-type validation (not extension). ClamAV on upload.
    Owner
    Application Security / DevOps
    Validation
    POST .php file returns 403; no script execution from upload dir
  • high

    Replace string concatenation with parameterised queries

    Host
    ppac.gov.in / data.ppac.gov.in
    Fix
    Audit all DB queries. Use CI4 query builder or PDO prepared statements. SQLMap scan for residual injection points.
    Owner
    Backend Engineering
    Validation
    SQLMap finds 0 injection points

Tier 3 · within 90 days

  • medium

    Rate-limit + CAPTCHA on login + data endpoints

    Host
    ppac.gov.in / data.ppac.gov.in
    Fix
    5 login attempts per IP per 15 min; CAPTCHA after 2 failures; reCAPTCHA v3 on submit forms.
    Owner
    Application Security
    Validation
    6th login attempt in 1 min returns 429 or CAPTCHA challenge

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.