RawHTTP.com was created to help in the investigation of suspicious links. There are a few key areas:
The top section information should be mostly self-evident, but it will include the interpretation of the input URL, a sanitized version for safe copy-pasting, as well as the IP address as resolved at the time of the request.
The Domain Suspicion value is computed by my own experimentation with machine learning. It looks at select features of only the domain information (e.g. www.example.com) to help to decide whether or not it's suspicious. This value shouldn't be considered a risk score or any real analysis.
The HTTP Headers section does two things. One, it shows the order of requests that took place to reach the destination. For instance, if there are redirects, it'll display the 302 or 301 status code, and below it will be the next request until it reaches the destination. Secondly, it shows the HTTP response headers for requests it makes, which can give insight into the server configuration for the URL.
In the event of investigating suspicious links in an email, for example, and it is suspected to be phishing, it's convenient to be able to see what the phishing page looks like. The screenshot as displayed should faithfully look the same as it would in a webbrowser, but it may not be exact. Clicking the screenshot will open a fullsized version in a new tab.
This section will display different information depending on the URL it's returning. Possible information may include:
This section has the ability to display the full HTML of the resulting web page, which may help the investigator look for malicious content. It also has the ability to add syntax-highlighting. By clicking 'Add Syntax Highlights' the HTML should be easier to read. Note that on large webpages this may be taxing on your computer.
If there are any HTML forms on the page, it'll attempt to display the opening lines of the forms, so the investigator could read the
action attribute and determine where any input information was sent to.
If told to use HTTPS, this section should display select details found within the certificate.
If the requested object is an image, it may also contain EXIF data if it exists.
Something worth considering is that if the URL entered performs some action for example, unsubscribing from a mailing list, or anything else, those actions will still be taken. Be careful not to submit URLs that contain personal information such as referral links if you're concerned about the owner of the site having that information
In an effort to be helpful, domains that contain
[.] will be replaced with a single dot and
[:] in the scheme/protocol will be replaced with a single colon. This takes away a little bit of the annoyance of pasting sanitized URLs, but could, in theory, give an inconsistent result if that was unexpected.