How do I safely inspect a potentially malicious website?

Why not just send the URL to Virustotal? Accessing a malicious website can be tricky. Using curl, wget, links -dump can be tricky depending on how the malicious content is served up. For example:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_USER_AGENT} 
 RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-perl|curl|wget).* [NC]
 RewriteRule ^(.*)$ - [F,L]
</IfModule>

Using mod_rewrite, I can feed you non-malicious pages. I can send you elsewhere, do whatever I'd like. Further, I can change payloads e.g.: instead of feeding you malicious, I can just change it to a non-malicious "Hello World" javascript. This may trick you into thinking my malicious website is harmless.

Normally when I have to visit a malicious website, I have a virtualized sandbox which runs burpsuite for interception, Squid proxy server, and a few other tools (noscript, ghostery, etc). What is the ultimate purpose of visiting outside of curiosity?


Visiting a malicious site is often a hit or miss because you're talking to THEIR software that THEY control. You have no real control over it no matter what you do. It could appear non malicious for a long time, and then hit you. It could try to hit you as soon as you visit it. It could...

Because there are literally infinite possibilities of how a site could be malicious you can't really ever be sure. All you can do is use some sort of burner equipment, explore, and still never trust the site. Ever. For any sites. The danger no matter what protocol you use is that in the end you will be visiting their server in some way. You open yourself up to payloads on every level of the OSI model. If you just want to see options headers that still an open connection. It's really a catch 22.


Remember, the web is a level of trust. I trust you to keep me safe. Just in case though, I'm still going to run anti virus software and let other people visit it first. If they stay safe long enough I guess I'll visit you.

And then there's the chance those could get hacked. Then your trust is broken.


Worse yet is trying to inspect code. Sure you get a copy, but a copy of what? It's in the best interest for a site to appear non malicious for as long as possible. Often time source is completely innocuous until it downloads the payload in some sort of non flagging off site location that would past most tests. So you then you're stuck hunting down every single link and source file and reading through those too or analyzing them, which is costly over time.

TL;DR:

You can never trust a site completely. Not even Google. The actual malicious part of the site can be put into anything, anywhere on the site. Sure you can safely inspect the source, but then all you might get is a false sense of security.

If you absolutely MUST do this, use a burner machine or VM that you can destroy the instant it becomes infected. The payload could be anywhere(HTML file, off site JS/CSS/Vector/app/image/CSV/JSON/file...). If you can't trust the site based on reputation, you can't trust the site at all.


It's hard to inspect websites by analyzing their source code, because some sites have hidden codes in it. You might want to try reputation based analysis.

You can add an add-on to your browser to analyze the site before you click it. Example of it is wot, a plug-in (web of trust). https://www.mywot.com/

You can also send the URL to a free URL Scanner. Example is http://zulu.zscaler.com/ This inspects the website itself. This is a risk analyzer tool.

You can also try http://urlquery.net/index.php

The most common reputation based analysis site is http://www.urlvoid.com/ and https://www.virustotal.com/