Home > Blockchain >  When I view the source code of a potentially malicious page, can the website harm my computer?
When I view the source code of a potentially malicious page, can the website harm my computer?

Time:11-18

I'm investigating something and it led me to a website online.

I haven't yet visited the website because I have reason to believe that it may have malicious content.

I know that in Google Chrome, you can view the source code of a webpage by pressing Ctrl-U. Unfortunately, that requires having visited the page.

Then I discovered that you can get the source code of a webpage without visiting it by adding view-source: before the https:// part of the URL.

So I can view Wikipedia's home page source code with view-source:https://www.wikipedia.org.

I want to do the same with the potentially malicious website but I don't want anything to happen to my computer. The only person I could consult regarding the website said that it "tracks the hell out of your computer". While whomever they heard that from does have a background in network engineering, they themselves don't, so I don't have any detailed information about it.

I know that basically all websites "track" you, i.e., gather information about your computer, such as its IP address, window resolution, user login, etc. by installing cookies on the user's computer to be requested later upon the next visit, but I don't know much about how far those abilities can extend.

I also found out from somewhere (I may be wrong) that there is a difference between "view page source" and "inspect page source" because the first one gives you the raw source code before any JavaScript is applied and the second one is available once you're on the site and any applicable JavaScript has already been applied and you can see its results.

Based on that, I'm assuming that it's perfectly safe to use the view-source: technique if I don't care about the results of the scripts on the page.

So essentially, I need to know these things:

  1. Is it really perfectly safe to use view-source:? I'm assuming not, so I'd like to know exactly what risks I'm taking and what risks I'm avoiding by doing this. EDIT: Forgot to mention. Does the website know that I'm viewing its source code, and does it by that fact know that my IP address requested its source code?

  2. Assuming I can read the JavaScript scripts, can I get a general sense of what the scripts do by reading what I get from view-source: alone, or can a webpage access scripts from other webpages without them explicitly being written on that page? (I'm assuming they can do that since I see hyperlinks on other websites ending in .js that I can click on revealing more JavaScript scripts) Note: I don't really care what the content of the webpage is in terms of what an ordinary user sees, since my investigation already knows and/or doesn't care about what is on it, I just care about what the webpage does in terms of tracking users.

  3. What can "tracking the hell out of your computer" entail exactly? In other words, what are some worst-case scenarios? No scenario is too outlandish; part of my investigation is to learn about this kind of stuff since it will help us down the line.

CodePudding user response:

The general answer is to just disable javascript and cookies in your browser first.

  1. Generally yes it's ok to view source, especially if javscript is disabled prior.

  2. You can if their scripts are readable, many sites however will minimize the code, which is generally not very readable.

  3. If javascript is disabled it's likely that their tracking would not work or at best be incomplete.

CodePudding user response:

I ignore the "how to ask" topic from above for now to answer your question. What I am not sure whether Stack Overflow is the right site for it in Stack Exchange.

The question is basically what threats you suspect from your "potentially malicious page".

If your concerns are mainly about privacy, it might be OK to take the risk. Sometimes I even just use "incognito mode", despite I know about it flaws, if the threat I suspect is limited.

If your concern is that the page code might try to elevate privileges out of the sandbox using security issues in the browser or more, you would basically trust the security implementation of the same software, which the page is trying to "hack in".

For the latter I at least use a read-only VM with minimal software and network access or, when it is about a serious threat, e.g. a ransomware, really an old notebook, which gets installed before and wiped after or even the hard-disk destroyed afterwards. And even with the latter, I am taking the risk, that something might have modified the BIOS.

  • Related