Is missav.live safe?

encoded payload

suspicious base64-like blobs detected in page content

malicious redirect

script/meta redirect patterns detected in page source

js obfuscation

JavaScript uses eval() with String.fromCharCode — common obfuscation

js obfuscation

JavaScript appears to use a common packer pattern (p,a,c,k,e,d)

credential harvesting

The site collects user email, password, and account credentials through login/register/change-password forms that POST to missav.live API endpoints. While this is a self-hosted login form, the domain uses a .live TLD with no visible ownership information, and collects credentials with no observable security/privacy policy linked at the point of collection. (location: page.html:456-534 (login/register/forget/changePassword functions))

malicious redirect

Multiple outbound links in the 'More sites' navigation menu use bit.ly shortlinks (obfuscated destinations) pointing to external adult platforms. The actual destination URLs are hidden behind URL shorteners (bit.ly/4gRZIHs, bit.ly/4bQtWu8, bit.ly/3HXTrNA, bit.ly/4rdPxBm, bit.ly/4tO0bAC, bit.ly/4apXHPS, bit.ly/46CgsyZ, bit.ly/4o2Ad8Q, bit.ly/3JkoZxK), preventing users or agents from knowing where they will be redirected. (location: page.html:1437-1507)

obfuscated code

A deeply nested eval-based JavaScript obfuscation pattern is present at the bottom of the page using the classic p,a,c,k,e,d packer (double-packed). The obfuscated code appears to check whether the current hostname matches a list of domain strings (missav888.com, 123av.org, missav01.com, thisav2.com, kiddew.com, m.this.av) and likely performs domain-based conditional logic or redirects. This technique is commonly used to hide malicious behavior from static analysis. (location: page.html:5774-5776)

hidden content

The site logo text 'MISSAV' is rendered with style='visibility: hidden;' in multiple locations (header and footer), making the brand name invisible to users while still present in the DOM. This pattern can be used to serve content to scrapers/crawlers differently than to human users, and is a known cloaking technique. (location: page.html:902, 5552, 5687)

hidden content

A hidden 1x1 pixel iframe is injected via inline JavaScript (Cloudflare challenge-platform script) that creates an invisible iframe (height=1, width=1, visibility:hidden) and injects additional scripts into it. While attributed to Cloudflare bot protection, this pattern of hidden iframe + dynamic script injection is a vector for covert third-party script execution. (location: page.html:5778)

social engineering

The 'More sites' menu promotes pirated/cracked versions of well-known platforms using labels like '哔咔漫画破解版' (Bikini Comics cracked), '成人抖阴破解版' (Adult Douyin cracked), 'TikTok成人版' (TikTok adult version), '糖心vlog破解版' (Tangheart vlog cracked) — falsely implying these are legitimate cracked versions of popular apps to entice clicks to unknown destinations via bit.ly redirects. (location: page.html:1442-1507, page-text.txt:522-548)

malicious redirect

Third-party ad script loaded from sunnycloudstone.com (//sunnycloudstone.com/62/bd/ca/62bdca270715b3b43fbac98597c038f1.js) is injected dynamically into the document head. This domain is not a recognized ad network and the script path is obfuscated with a hash. Dynamically injected scripts from unknown CDN domains can deliver payloads that redirect users or serve malicious ads. (location: page.html:5704-5708)

prompt injection

The page encodes a large blockedKeywords object in the Alpine.js x-data attribute that maps terms like 'rape', 'child', 'loli', 'forced', 'drugged' to replacement strings like 'play' or 'played'. This keyword substitution system actively rewrites content to obscure illegal or harmful terminology in rendered output, which could cause an AI agent analyzing visible page text to miss harmful content that is present in the underlying data. (location: page.html:104 (blockedKeywords in x-data))