Tanush Pradhan · 2026
Project 05 · Live Tool

URLSentinel
phishing scanner.

A browser-based phishing and malicious URL detector — paste any link, get a threat score in under a second. Thirteen detection heuristics, zero backend, nothing ever leaves your browser.

Role
Solo build
Status
Live · client-side
Stack
Vanilla JavaScript
Tags
Cybersecurity · Detection
Try it
yourself.

Paste a URL below and scan it. Use the example chips inside the tool if you don't have one handy — one is a real phishing pattern, one's a clean legitimate site, one sits in between.

tanushpradhan.com/tools/urlsentinel.html
Why I
built it.

Most phishing awareness material tells people to "check the URL carefully" without ever explaining what to actually look for. The gap between that advice and the technical reality — typosquatting, IP-literal hosts, the classic @-symbol redirect trick, throwaway TLDs — is exactly where most people get caught.

URLSentinel is my attempt to make that checklist concrete and instant. Paste a link, see exactly which red flags it trips and why, in language that doesn't require a security background to understand.

How it
works.

The scanner runs 13 independent heuristic checks against the URL's structure, host, and path — no machine learning, no external threat-intel API, just well-documented patterns that show up disproportionately often in real phishing campaigns. A few examples:

IP address as host

Raw IPs instead of domain names bypass DNS-based detection and hide the real operator.

@ symbol in URL

Browsers ignore everything before @ — so "paypal.com@evil.com" actually loads evil.com.

High-risk free TLDs

.xyz, .top, .click and similar are free or near-free — disposable infrastructure for campaigns that get abandoned the moment they're flagged.

Brand impersonation

Typosquatted domains ("paypa1" for "paypal") catch the eye scanning too fast to notice the swap.

Credential-harvesting patterns

Paths containing login/verify/confirm/account combined with other flags raise the composite score.

URL shorteners

bit.ly, tinyurl and similar hide the real destination — common for slipping past email link scanners.

Each flag carries a severity weight; the weights sum into a 0–100 threat score with a plain-language explanation attached to every flag that fired. No single rule decides the verdict — it's the combination that matters, same as real-world triage.

On
privacy.

This was a deliberate constraint, not an accident: the entire tool runs client-side. There's no server, no API call, no logging. Whatever URL you paste — including any sensitive or internal links — never leaves your browser tab.

For a tool whose entire purpose is inspecting potentially sensitive links, that felt like the only acceptable design. A "free phishing checker" that quietly logs every URL submitted to it would be a worse privacy posture than the phishing emails it's meant to catch.

What I
learned.

Heuristic security tools live or die on false-positive rate. It's trivial to write a rule that flags everything suspicious-sounding; the hard part is calibrating severity so that legitimate sites — short government domains, brand-new but real startups, internal company tools — don't get torched alongside actual phishing.

I ended up spending more time tuning the scoring weights against legitimate edge cases than writing the detection logic itself. That ratio surprised me, and it's the same ratio I now expect from any classification problem, security or otherwise.