-1

I'm investigating something and it led me to a website online.

I haven't yet visited the website because I have reason to believe that it may have malicious content.

I know that in Google Chrome, you can view the source code of a webpage by pressing Ctrl-U. Unfortunately, that requires having visited the page.

Then I discovered that you can get the source code of a webpage without visiting it by adding view-source: before the https:// part of the URL.

So I can view Wikipedia's home page source code with view-source:https://www.wikipedia.org.

I want to do the same with the potentially malicious website but I don't want anything to happen to my computer. The only person I could consult regarding the website said that it "tracks the hell out of your computer". While whomever they heard that from does have a background in network engineering, they themselves don't, so I don't have any detailed information about it.

I know that basically all websites "track" you, i.e., gather information about your computer, such as its IP address, window resolution, user login, etc. by installing cookies on the user's computer to be requested later upon the next visit, but I don't know much about how far those abilities can extend.

I also found out from somewhere (I may be wrong) that there is a difference between "view page source" and "inspect page source" because the first one gives you the raw source code before any JavaScript is applied and the second one is available once you're on the site and any applicable JavaScript has already been applied and you can see its results.

Based on that, I'm assuming that it's perfectly safe to use the view-source: technique if I don't care about the results of the scripts on the page.

So essentially, I need to know these things:

  1. Is it really perfectly safe to use view-source:? I'm assuming not, so I'd like to know exactly what risks I'm taking and what risks I'm avoiding by doing this. EDIT: Forgot to mention. Does the website know that I'm viewing its source code, and does it by that fact know that my IP address requested its source code?

  2. Assuming I can read the JavaScript scripts, can I get a general sense of what the scripts do by reading what I get from view-source: alone, or can a webpage access scripts from other webpages without them explicitly being written on that page? (I'm assuming they can do that since I see hyperlinks on other websites ending in .js that I can click on revealing more JavaScript scripts) Note: I don't really care what the content of the webpage is in terms of what an ordinary user sees, since my investigation already knows and/or doesn't care about what is on it, I just care about what the webpage does in terms of tracking users.

  3. What can "tracking the hell out of your computer" entail exactly? In other words, what are some worst-case scenarios? No scenario is too outlandish; part of my investigation is to learn about this kind of stuff since it will help us down the line.

Patrick O'Brien
  • 69
  • 5
  • 2
    view-source: would still add your IP to their log file. I use http://www.dan.co.uk/viewsource/index.php – mplungjan Nov 17 '21 at 12:02
  • 2
    Welcome to Stack Overflow! Visit the [help], take the [tour] to see what and [ask]. – mplungjan Nov 17 '21 at 12:02
  • ^ but doing so won't harm you computer. In theory visiting a website could, but browsers security model is pretty strong these days. The last time I remember just visiting a website been harmful was how I jail broke my iPhone, of course that wasn't harmful, as I wanted it to do it. But it does show it can be done. – Keith Nov 17 '21 at 12:05
  • @mplungjan So this service prevents my IP being logged by the website? – Patrick O'Brien Nov 17 '21 at 12:22
  • Yes. It will log Dan's IP – mplungjan Nov 17 '21 at 12:23

3 Answers3

1

I ignore the "how to ask" topic from above for now to answer your question. What I am not sure whether Stack Overflow is the right site for it in Stack Exchange.

The question is basically what threats you suspect from your "potentially malicious page".

If your concerns are mainly about privacy, it might be OK to take the risk. Sometimes I even just use "incognito mode", despite I know about it flaws, if the threat I suspect is limited.

If your concern is that the page code might try to elevate privileges out of the sandbox using security issues in the browser or more, you would basically trust the security implementation of the same software, which the page is trying to "hack in".

For the latter I at least use a read-only VM with minimal software and network access or, when it is about a serious threat, e.g. a ransomware, really an old notebook, which gets installed before and wiped after or even the hard-disk destroyed afterwards. And even with the latter, I am taking the risk, that something might have modified the BIOS.

Torsten Knodt
  • 477
  • 1
  • 5
  • 20
1

The general answer is to just disable javascript and cookies in your browser first.

  1. Generally yes it's ok to view source, especially if javscript is disabled prior.

  2. You can if their scripts are readable, many sites however will minimize the code, which is generally not very readable.

  3. If javascript is disabled it's likely that their tracking would not work or at best be incomplete.

mrall
  • 140
  • 4
-2

Well let's say you have a virus that you designed yourself on your computer using JavaScript. If you save the source code of the virus as a .js file on your device, your device will not be harmed because it has not become a virus yet, or in other words, it has not been run. Now let's consider that you have browsed a malicious site, but you do not realize that since you visited the site and the browser has turned on the source code of the site, i.e. The browser has edited the virus or ran it, but if you view the source code of the site via view-source: the virus will not run even if it exists because the browser has not translated the site yet, meaning that it is practically still closed and you have never visited it only you It shows the source code of the site and does not go to the site, it's like an apk file that has not been installed yet. I get my point

Zezo Android
  • 7
  • 2