urlscan.io
A sandbox for the web


urlscan.io is a free service to scan and analyse websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations. If the site is targeting the users one of the more than 400 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results.

urlscan.io itself is a free service, but we also offer commercial products for heavy users and organisations that need additional insight.

Our Mission

Our mission is to allow anyone to easily and confidently analyse unknown and potentially malicious websites. We realised early on that even for battle-hardened web developers and security researchers its a frustrating experience to record page interactions and additional metadata from websites, on the off chance of finding the needle in the haystack. Even worse, a single observation is often meaningless without the necessary context. Is this domain something that websites usually load third-party JavaScript from? Are any other reputable websites talking to this weird IP address on the Cayman Islands?

We created urlscan.io in late 2016 to solve these problems. Our focus has always been to break down the vast amount of data from a website page navigation into digestible chunks. We're analyst-first, we always strive to understand and anticipate the pieces of information that would be helpful during an investigation and the attributes that allow pivoting. Just like you would use a malware sandbox to analyse suspicious files, you can use urlscan.io to do the same thing but with URLs.

Johannes Gilger
CEO & Founder

Johannes has been working in InfoSec since 2011. He spent the last six years in the CrowdStrike Threat Intelligence team. In late 2016 he created urlscan.io.

FAQ

Q: Can our company use the service and data on it commercially?
A: Yes in general, using urlscan.io as part of your daily workflow (for things like SOC processes, investigations, reports) is totally fine. If you want to do a large volume of queries, submit a lot of scans or be able to integrate our data into one of your commercial offerings we'd ask you to contact us first to work out what is acceptable use under our free usage tier and what kind of use requires a commercial agreement.

Q: What is difference between Public, Unlisted, and Private scans? Do they deliver different results?
A: The scans all deliver the same results. The difference between the scan type is their visibility in the search results.
Private and Unlisted scans do not appear on the frontpage or in the public search-results or aggregations.

Private scans can only be opened if you know their unique ID. If you submitted a private scan while logged in, you will be able to find your own private scans in your search. We don't share private scan information with third parties (including our sponsors and commercial customers), ever.

Unlisted scans can be found by vetted security researchers and companies which are subscribers to our urlscan Pro platform.

Make sure you understand the differences as outline in our API documentation.

Q: When should I choose Public, Unlisted, or Private when scanning?
A: These are some guidelines to decide when to use which visibility:
Public: There is no PII or confidential data in the URL and you want it to be discoverable by other researchers.
Unlisted: There might be PII or mildly sensitive data on the site, but you want security vendors and reputable researches to be able to pick up this data to improve their products and take action (for example takedown requests).
Private: Nobody but you should be able to see the results of the scan.

Q: How can I request the content of a scan to be removed from your website?
A: Please use the orange Report button on the result page of the scan.

Q: Can you prevent my domain from being scanned? Can you bulk-delete existing scans?
A: Yes, please send us a email at info@urlscan.io with the domains or URL patterns you'd like us to blacklit.

Q: Does urlscan.io show whether a website contains malware or phishing attempts?
A: Yes, we have some basic mechanisms for determining whether a website contains malicious content. Our proprietary phishing detection mechanism tracks 400 popular brands and can identify phishing or impersonation attempts of these brands.
We do record file downloads, but we do not detect whether a downloaded file is malicious, e.g. a malicious executable.

Q: Does urlscan.io detect when a malicious site is no longer active, e.g. cleaned up?
A: No, our website scans only provide point-in-time snapshots of the website content, we do not re-crawl existing scans.

Q: Can I use the "malicious" verdicts on urlscan.io as a blocking feed?
A: We don't recommend it as the occasional false positive verdicts still occur.

Q: Can I search urlscan.io for pages which have been detected as malicious?
A: This feature is available as part of the commercial urlscan Pro subscription and not available through the community search.

Q: How does urlscan.io work?
A: We use the Google Chrome browser in Headless Mode to browse to the URLs submitted by users. We record the interaction of the page with the Internet and after the page has finished loading, we annotate the results with additional data sources.

Q: Do you store results indefinitely?
A: No, we will delete private scans after a certain age and we don't make any guarantees about the retention of any type of scan in the future. If you need the results of a scan make sure to download it.

Q: Why is the screenshot and DOM snapshot empty for some scans?
A: We don't store the screenshot and DOM snapshot if we determine the page to be empty, i.e. not containing any visible content and not loading any resources.

Q: Do you offer different browser locations/countries?
A: Not right now, we might include this feature in the future.

Corporate Sponsors

Thanks to our corporate sponsors for helping us keep the community service up and running!

  • SecurityTrails - Security Data and APIs
    We Offer Paid API and Data Services for Top Security Companies. Tap into a treasure-trove of cyber security gold and get the info you can’t find anywhere else.
  • ipinfo.io - IP Address API and Data Solutions
    We're the trusted source for IP address data, handling 12 billion API requests per month for over 1,000 businesses and 100,000+ developers.
  • Tines - Security Automation and Orchestration (SOAR) Platform
    The Tines security automation platform helps the world's leading security teams automate any manual task. Making them more effective and efficient.
  • Joe Security - Automated Malware Analysis - Joe Sandbox
    Analyse Malware in a Depth Previously Not Possible. Unleash the power of deep malware analysis to your CERT, CIRT, SOC or IR team! Fully automated or manual.
  • Hatching Triage - Sandbox for High-Volume Automated Malware Analysis
    Hatching Triage is our state-of-the-art malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS), high-volume malware analysis capabilities, and malware configuration extraction for dozens of malware families.

External Projects

These projects utilize urlscan.io:

  • Phish.ly - Analyze suspicious emails with Tines & urlscan

Media Coverage

urlscan.io was covered by these posts, articles and screencasts:

  • securitytrails.com Blog - It's never been easier to make a great product: A chat with Johannes Gilger from urlscan.io (May 2, 2019)
  • tines.io - Automating abuse inbox management and phishing response (July 27, 2018)
  • The Daily Beast - Russian Hackers’ New Target: a Vulnerable Democratic Senator (July 26, 2018)
  • securitytrails.com Blog - URLScan.io: the best way to scan any website (July 16, 2018)

Reports referencing urlscan.io

These are industry reports that leverage urlscan.io or its data in some way.

Similar services & software

urlscan.io is not the only service that can be used to browse and analyse a website. These are some similar services, some provided invaluable inspiration for this very service!

Lists of similar & related services

Services

  • urlquery.net (defunct) - Scans sites and looks up domains/IPs on various blacklists. This service inspired us to build urscan.io.
  • keycdn speed test - Website speed test, employs similar techniques and inspired some features on this site
  • WebPagetest - Exhaustive speed-testing service with different locations, browser and options
  • pingdom Website speed test
  • Trackography - Find out who is tracking you when you are reading your favourite news online.
  • Web Cookies Scanner - HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, supercookies, evercookies as well as SSL/TLS and HTTP security
  • Hardenize - Helping you deploy the latest security standards
  • Browserless - A headless browser in the cloud

Software

  • browserless - Chrome as a service in docker. Run on our cloud, or bring your own.
  • Puppeteer - Headless Chrome Node API, maintained by the Google Chrome Team
  • Lighthouse - analyzes web apps and web pages, collecting modern performance metrics and insights on developer best practices.
  • Awesome chrome-devtools - Awesome tooling and resources in the Chrome DevTools ecosystem

Acknowledgements

Affiliation

urlscan.io is not affiliated with any of the services we link to on our results pages. Linking to any site does not constitute an endorsement or guarantee of fitness of the data.