ZeroTrace OSINT
URL Tools
URL parser, suspicion-scoring URL analyzer, and IDN homograph detection.
A pair of utilities for URL inspection. The simple parser breaks a URL into its components. The analyzer scores a URL for suspicion based on shape and content.
URL Parser
For any URL, the parser returns:
| Component | Example |
|---|---|
| Scheme | https |
| Host | app.example.com |
| Subdomain | app |
| Registrable domain | example.com (via Public Suffix List) |
| Top-level domain | com |
| Port | 443 (default if not specified) |
| Path | /login |
| Path segments | ["login"] |
| Query parameters | Each parsed and decoded |
| Fragment | #section |
| Username / password | When present (a phishing-URL signal) |
For each query parameter, the parser also offers:
- Base64 decode-attempt (catches base64-encoded values).
- URL decode-attempt (catches double-encoded values).
- JSON parse-attempt (catches structured values).
URL Analyzer
The analyzer takes a URL and emits a suspicion score plus rationale:
| Signal | Contributes if |
|---|---|
| Long random subdomain | Subdomain looks like kj3h8s7d.example.com |
| Many subdomains | Three or more subdomain levels (often a phishing pattern) |
| Suspicious TLD | Free or abuse-friendly TLDs (.tk, .ml, .ga, .cf) |
| IP in URL | Hostname is a raw IP rather than a domain |
| Username in URL | user:pass@host form |
| Punycode | IDN-encoded hostname (xn--...) |
| Homograph candidates | Visually-confusable characters in the hostname (Cyrillic а for Latin a, etc.) |
| Suspicious path elements | /login, /wp-admin, /.git, /.env |
| Long URL | URLs over a kilobyte (often base64-payload phishing) |
| Fragment that looks like data | #data:... patterns |
The composite score lets you triage a list of URLs quickly. High scores get manual review; low scores can be batch-processed.
IDN homograph detection
A particular emphasis. The tool decodes Punycode hostnames and surfaces visually-confusable characters:
paypal.com(all Latin) vs.pаypаl.com(with Cyrillicа).google.com(all Latin) vs.gооgle.com(with Cyrillicо).
The visual rendering is critical, the URL looks identical to the human eye but resolves to a different domain. The analyzer surfaces this with a coloured warning.
Homograph attacks rely on the visual-vs-actual mismatch. Always verify hostname spelling on suspicious links by viewing the Punycode form alongside the rendered form. The URL parser and analyzer both show this pair.
Auto-compose
A one-click affordance opens site analysis for the URL. For URLs that score high on suspicion, the natural follow-up is to run them through site analysis (with appropriate caution about whether to actually fetch a hostile URL, often you would prefer the Wayback Machine or a sandboxed environment for that).
Bulk URL parsing / analysis
Bulk paste accepts a list of URLs. The aggregate table shows per-URL components and analyzer scores, useful for triaging URLs from a phishing-report dump.
Pivots
| Click on... | Pivot to |
|---|---|
| Host | DNS, WHOIS, certificate transparency, site analysis |
| Registrable domain | WHOIS, DNS history |
| Path segments | (no pivot, informational) |
| Query parameters | (no pivot, copy and inspect) |
| Punycode form | (no pivot, copy and verify) |
Sources
All parsing and analysis is local. The Public Suffix List for registrable-domain extraction is bundled with the application. The homograph catalog is bundled.