# URL Inspector

> Dissect any URL into its named parts: scheme, host, port, path, query parameters, and fragment. Decodes percent-escapes and internationalized hosts, and flags credentials and other issues. Runs entirely in your browser.

- Tool: https://ronutz.com/en/tools/url-inspector
- Family: Web & HTTP

---

## What it does

Dissect any URL into its named parts: the scheme, the host, the port, the path, the individual query parameters, and the fragment. It decodes percent-escapes and internationalized (punycode) hostnames, flags embedded credentials and other issues, and shows the scheme's default port. Everything runs in your browser.

## The parts of a URL

A URL has a defined grammar, set out in RFC 3986, and the tool splits a URL into its top-level components: the **scheme** (such as `https`), the **authority** (which holds any userinfo, the **host**, and the **port**), the **path**, the **query**, and the **fragment**. It then breaks the query string into individual parameters and percent-decodes each one, so a long query becomes a readable list of name-and-value pairs rather than one opaque string. Following the WHATWG URL Standard, it treats a `+` in a form-encoded query as a space.

## Parsed as written, not normalized

An important design choice: the tool parses the URL exactly as you gave it and does not silently normalize it. That matters because the differences a browser would quietly smooth over are often exactly what you are trying to see: an unexpected port, a doubled slash, a stray encoded character. Showing the URL as written is what makes it useful for debugging and for spotting something suspicious.

## Decoding and flagging

Two things in particular the tool surfaces:

- **Internationalized hostnames.** A host label in punycode form (beginning `xn--`) is decoded back to its Unicode text (RFC 3492 and the IDNA framework of RFC 5890), so you can see the actual name, which also helps reveal look-alike domain tricks.
- **Embedded credentials.** A URL can carry a username and password in the `user:pass@host` form, and the tool flags this, because credentials in a URL are a common mistake and a security concern.

## Using it

Paste a URL and read its scheme, host, port, path, decoded query parameters, and fragment, with any credentials or other issues flagged. The parse is deterministic and local, so it is safe to inspect any URL, including one you do not want to visit.

## Standards and references

- [RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax](https://www.rfc-editor.org/rfc/rfc3986) - the component grammar (scheme, authority, path, query, fragment) and the parsing regex
- [WHATWG URL Standard](https://url.spec.whatwg.org/) - browser URL parsing, special schemes, and the form-urlencoded query (plus as space)
- [RFC 3492 - Punycode: A Bootstring encoding for IDNA](https://www.rfc-editor.org/rfc/rfc3492) - decoding an xn-- host label back to Unicode
- [RFC 5890 - Internationalized Domain Names for Applications (IDNA)](https://www.rfc-editor.org/rfc/rfc5890) - the IDNA framework that the punycode host form belongs to

## Related reading

- [Deceptive URLs: Reading Past the Tricks](https://ronutz.com/en/learn/deceptive-urls.md): URLs are a favorite tool for phishing because the real destination is easy to disguise. The userinfo trick, redirect parameters, and look-alike characters all make a hostile link look friendly. This shows the common disguises and the one reliable habit for finding the real host.
- [Evasion Techniques: How Advanced WAF Normalizes Around Attacker Encoding](https://ronutz.com/en/learn/awaf-evasion-techniques.md): Attackers hide payloads inside unusual encodings so a signature never sees the real characters. BIG-IP Advanced WAF answers with eight evasion sub-violations under the single 'Evasion technique detected' violation, each normalizing or detecting one trick: %u decoding, Apache whitespace, Bad unescape, Bare byte decoding, Directory traversals, IIS backslashes, IIS Unicode codepoints, and Multiple decoding. All eight are enabled by default.
- [HTTP Proxies: Forward vs Reverse, Explicit vs Transparent](https://ronutz.com/en/learn/http-proxy-forward-and-reverse.md): An HTTP proxy parses requests at Layer 7, so it can route by URL, rewrite headers, and enforce policy on content a TCP proxy cannot see. Two axes describe every deployment: forward vs reverse (which side it works for) and explicit vs transparent (whether the client knows it is there). This covers the CONNECT method, X-Forwarded-For and Via, and where each combination is used.
- [Query Strings: Parameters, Plus Signs, and Repeated Keys](https://ronutz.com/en/learn/query-strings.md): The part of a URL after the question mark looks simple but hides real ambiguity: how parameters are separated, why a plus sign sometimes means a space, how repeated keys behave, and why there is no single governing standard.
- [Relative URLs and How They Resolve](https://ronutz.com/en/learn/relative-urls-and-resolution.md): A relative URL leaves out the scheme and host and is completed against a base URL. The rules for how a browser fills in the rest, and how ./ and ../ and a leading slash change the result, explain a lot of broken links and a few security surprises.
- [The Anatomy of a URL](https://ronutz.com/en/learn/url-anatomy.md): Every URL is built from the same handful of parts defined by RFC 3986: scheme, authority (userinfo, host, port), path, query, and fragment. What each part means, how a parser tells them apart, and where the boundaries actually fall.
- [The TCP Proxy: What a Layer 4 Middlebox Does and Does Not See](https://ronutz.com/en/learn/tcp-proxy-layer-4.md): A TCP proxy terminates the client's TCP connection and opens a separate one to the server, splicing two independent flows together at Layer 4. It rewrites addresses and ports, can pool and reuse connections, and sees nothing of the application payload above the transport header. This explains full-proxy versus packet-forwarding, why the source IP disappears, and how the Proxy Protocol puts it back.
- [URL Encoding and Internationalized Hosts](https://ronutz.com/en/learn/url-encoding-and-idn.md): URLs are restricted to a small set of ASCII characters, so everything else is encoded. Percent-encoding handles paths and queries; punycode handles non-ASCII host names. How both work, and why internationalized hosts are a phishing concern.
