Sometimes I'm interested in what's behind a malicious website. How do I stay on the safe side if I decide to inspect? I'm searching for methods that are quicker and more simple than running the website on a virtual machine.
Should I use cURL and view the HTML source in a file viewer? Should I simply view the source in the browser using view-source:http://malicious-website/? Are those safe?
Why not just send the URL to Virustotal? Accessing a malicious website can be tricky. Using curl, wget, links -dump can be tricky depending on how the malicious content is served up. For example:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT}
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-perl|curl|wget).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Using mod_rewrite, I can feed you non-malicious pages. I can send you elsewhere, do whatever I'd like. Further, I can change payloads e.g.: instead of feeding you malicious, I can just change it to a non-malicious "Hello World" javascript. This may trick you into thinking my malicious website is harmless.
Normally when I have to visit a malicious website, I have a virtualized sandbox which runs burpsuite for interception, Squid proxy server, and a few other tools (noscript, ghostery, etc). What is the ultimate purpose of visiting outside of curiosity?
Visiting a malicious site is often a hit or miss because you're talking to THEIR software that THEY control. You have no real control over it no matter what you do. It could appear non malicious for a long time, and then hit you. It could try to hit you as soon as you visit it. It could...
Because there are literally infinite possibilities of how a site could be malicious you can't really ever be sure. All you can do is use some sort of burner equipment, explore, and still never trust the site. Ever. For any sites. The danger no matter what protocol you use is that in the end you will be visiting their server in some way. You open yourself up to payloads on every level of the OSI model. If you just want to see options headers that still an open connection. It's really a catch 22.
Remember, the web is a level of trust. I trust you to keep me safe. Just in case though, I'm still going to run anti virus software and let other people visit it first. If they stay safe long enough I guess I'll visit you.
And then there's the chance those could get hacked. Then your trust is broken.
Worse yet is trying to inspect code. Sure you get a copy, but a copy of what? It's in the best interest for a site to appear non malicious for as long as possible. Often time source is completely innocuous until it downloads the payload in some sort of non flagging off site location that would past most tests. So you then you're stuck hunting down every single link and source file and reading through those too or analyzing them, which is costly over time.
You can never trust a site completely. Not even Google. The actual malicious part of the site can be put into anything, anywhere on the site. Sure you can safely inspect the source, but then all you might get is a false sense of security.
If you absolutely MUST do this, use a burner machine or VM that you can destroy the instant it becomes infected. The payload could be anywhere(HTML file, off site JS/CSS/Vector/app/image/CSV/JSON/file...). If you can't trust the site based on reputation, you can't trust the site at all.
It's hard to inspect websites by analyzing their source code, because some sites have hidden codes in it. You might want to try reputation based analysis.
You can add an add-on to your browser to analyze the site before you click it. Example of it is wot, a plug-in (web of trust). https://www.mywot.com/
You can also send the URL to a free URL Scanner. Example is http://zulu.zscaler.com/ This inspects the website itself. This is a risk analyzer tool.
You can also try http://urlquery.net/index.php
The most common reputation based analysis site is http://www.urlvoid.com/ and https://www.virustotal.com/
Others mentioned that just retrieving a URL can provide crucial information to the host; usual the information is that you have read an email.
That said, I assume that one option to inspect a web page securely which is not too uncomfortable or complicated is to open the URL in a text based browser like lynx (under Windows perhaps in a cygwin environment). Lynx does not process JavaScript and does not immediately display images or other non-text content, which afaics makes it invulnerable to most attacks targeted on mainstream platforms (I'd appreciate comments on that though).
I like @Robert Mennell's answer, but I'll add that there is one way to see what the site is running, and that is to yank the disk and inspect it in another machine. That way, you're less likely to be impacted by a rootkit that's causing the OS to lie to you. Of course, the drive firmware could be lying to you, but that's a pretty specialized rootkit.
A suggestion -- not sure if it's actually safe or not -- is to use Google translate on the site, specifying a target language that can be minimally understood at a glance (German, Dutch, etc). I've done that for suspicious pages (and also translated to English for some Chinese and Indian web pages sent by customers that I was worried about). It appears to me that Google is taking the risk and generating what you see. So as long as you don't click on anything it seems to be safe -- of course, I could be way wrong about that. Google may say "site redirected you too many times" but if so that may be an indicator itself the site is not safe.
This doesn't solve the "inspect the site's source code" aspect, but it may give additional info and clues as to whether further methods to view the source code are warranted.
