In bug bounty hunting, having a short domain for XSS payloads can be the difference in exploiting a bug or not… and it’s just really cool to have a nice domain for payloads, LOL.
One morning after I went full time bug bounty back in January, I decided to find me a nice domain for POCs and payloads. It turned into a full day adventure. I spent around six hours reversing engineering domain-provider APIs and automating the process of checking which domains are available.
ASCII and Unicode
When it comes to domains for payloads, sometimes every character counts. ASCII and Unicode character counts both matter. Many Unicode characters resolve to ASCII for urls, which means if you’re crafting an XSS or SSRF payload, a short domain can sometimes be exactly what you meed.
For example, a domain like 1.com is straightforward with 4 ASCII and 4 Unicode characters because it doesn’t condense. But then there’s rad.pw, which I own. It has 5 ASCII characters but only 2 Unicode because “㎭” and “㎺” are each a single Unicode character.
The Hunt for the Shortest Domain
My goal was to find the lowest character count possible, ideally 3 ASCII and 2 Unicode, like 1.rs. Unfortunately, those are (mostly) all taken. So, I set my sights on finding a domain with 4 ASCII and 2 Unicode characters.
However, finding such a domain at a reasonable price proved to also be a challenge. After much searching, I ended up with:
rad.pw: 5 ASCII, 2 Unicode, and “rad password” is a cool domain for POCst4.rs: 4 ASCII, 3 Unicode because t4 doesn’t condense, and short for tars the robotkm3.pw: 5 ASCII, 2 Unicode. I got this one first, before finding the other two. If anyone is interested in having it, I don’t really need it so let me know if you’d like it.
Sidenote: Due to this whole process, I added this tool to my website: ASCII to Unicode Character Reducer
Hidden Gems and Pricey Finds
During my search, I stumbled upon some intriguing domains. If you’re willing to splurge, you can snag a 4 ASCII and 2 Unicode domain from nic.st. Domains like rs.st are available, but they come with a hefty price tag—€799 due to being a 4-character domain, plus an annual fee of €29.
The Holy Grail of Domains
The ultimate find though, and pricey at €1500 are a couple of domains: 2.st and 9.st (and maybe 1-2 other [number].st domains), are 3 ASCII and 2 Unicode. These are rare gems, and there’s no way to reduce them further.
Or is there?
All character counts I’ve mentioned so far include the period/dot, but technically, there’s a set of Unicode character that combine a number and a period, like ⒉ so ones like these ⒉st are actually even smaller. The sad thing is browsers (and unicode normalizers that I tested) don’t convert ⒉ to 2., they just convert it to 2 and drop the period. So, while these domains are technically shorter, they don’t work in practice AFAICT.
EDIT: Okay so I just found out that ⒉st does get converted to 2.st in javascript and python.
JavaScript:
Both normalize(‘NFKC’) and normalize(‘NFKD’) convert “⒉st” → “2.st”
Python:
Both unicodedata.normalize(‘NFKC’) and unicodedata.normalize(‘NFKD’) ALSO convert “⒉st” → “2.st”
Tell Me What You Find
I find all this super interesting so please tag me and tell me what your best domain is and if I’ve missed a tld or something with some golden domains.
- Joseph
Sign up for my email list to know when I post more content like this. I also post my thoughts on Twitter/X.
