Skip to main content

Tips on checking URLs that you don’t trust

Sites like this one are always warning you to avoid suspicious websites. Sometimes your browser or security software will stop and warn you about a particular site. And sometimes you want to see it anyway. Is there a safe way to do it? Yes, there are a few.

The most common way researchers work with suspicious sites, first and foremost, is not to surf like a normal user on Windows. Most use Linux. Indeed, you're also safer on a Mac. But even if you use some oddball browser on some oddball operating system, you can still be affected by cross-site scripting, cookie stealing and other such abuses.

The trick is that you don't really want to see the web page, you want to see the HTML behind it. If you don't know how to read HTML and scripting, stay away from this business.

My usual trick is to open the page directly in my text editor, TextPad, which I love and highly recommend. I can just File-Open in the text editor, give it a URL, and it loads HTML into an editor window. This is about as convenient as it gets (Notepad does it too).

There is a potential risk using the editor, as I assume both Notepad and TextPad use standard Windows HTTP services (like this) to retrieve the web page, and so perhaps a vulnerability there could open you up to attack.

There are alternatives which may or may not have their own HTTP engines. Did you know Firefox and Google Chrome have a view-source protocol handler? You can view the source code simply by entering this into your URL bar:


Where URL is the web address of the page in question.

And then there's Curl, a free and open source Internet URL retrieval engine. It's most famous for retrieving HTTP URLs, but it handles many other protocols too (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE).

You can use Curl in batch files to retrieve various web pages under complete programmatic control. It's really powerful and once you learn how to use it you'll figure out other things to do with it.

A word of warning, though: Don't think you're invulnerable with such testing. Other things you can do to make yourself safe are to do this testing in a VM (virtual machine), and not to have any personal data on the system. But the main point here is that if you think you can protect yourself and you're careful, these methods let you see exactly what a web page does without subjecting yourself to the page itself.