I recently received a text to a sketchy URL. In my curiosity I tried to see if I could get the source code from said URL without actually going there directly.

My first attempt I did this with apitester.com, a website that is intended for testing APIs but comes in handy for a quick URL test and seeing what gets returned. Next, I tried an official website dedicated to telling me if a site is sketchy. Finally, I tried to CURL the url with a variety of different headers. Alas, all these attempts gave me nothing. I know if I clicked on this link through my Phone it would definitely direct me to a sketchy website, but I just can't for the life of me figure out how their backend is setup to know what is a real request and what is not.

My Question is this; what is the potential stack setup that this person could be using that would disallow anyone from testing the URL and force them to redirect to google and any real request to redirect to the actual website?

  • 4
    An user agent or a js check?
  • 2
    @molaram but I changed my user agent in curl. How am I still getting forwarded to Google and not the real site?
  • 1
    I'm also very curious about this, isn't there any way to exactly mimick your phones request? If the request truly is identical then there shouldn't be any difference I believe but then again I don't really touch webstuff
  • 2
    Just launch chrome in incognito, f12, network, check the Preserve Log box. Enter your url in the address bar and hit enter. Now in the dev tools you will have your answer.
  • 2
    If the url has params [request/url], you might confirm your email/phone no is valid. Meaning you will get more spam later on. But then again I guess you have already called that url far too many times to worry about that 😁

    if the url has params, it could be a single-use token. Explains why you cannot get a valid responae after all those attempts
  • 2
    @netikras not a good idea as bad scripts could be loaded. I could run it from an isolated virtual machine...
  • 2
    @iSwimInTheC What could a "bad script" do "bad" in an incognito chrome?

    No activeX
    No cookies
    No history
    No durability
  • 1
    @netikras If you want "No bad" you need to use a vpn + vm. 99.98% of the time its just a scam for a password/credit card number but you can still find a site exploiting a zeroday in your browser.
  • 2
    @netikras all the google engineers in the world and they missed a UaF in Chrome, and they admitted most of their fuckups reside in like one fucking code blob they keep just patching up instead of rebasing.
  • 0
    @WIPocket I'd suggest Tor, actually, but that's just me.
  • 1
    @Parzi Tor out nodes are *really* eazy to detect, but yea, its much faster, safer and more anonymous than a vpn. Unless the website tries to block tor, you should be fine using a lesser known vpn.
Add Comment