Unicode meets domain names
Did you know the Unicode character ㎣ (U+33A3), which stands for cubic millimeters, is treated by browsers exactly the same as the ASCII letters mm3 when resolving domain names? So, ㎣.uk and
mm3.uk are the same domain under the hood!
Browsers support Internationalized Domain Names (IDNs) to allow Unicode characters in domains. When you enter a domain like 你好.xyz, browsers convert it to xn--6qq79v.xyz using Punycode.
But, Unicode also defines confusable mappings — characters that look alike but have different code points — so browsers normalize those too. This is why ㎣ is treated as mm3.
For deeper understanding, check out these resources:
Using Unicode characters as domain aliases helps shorten domain names without losing meaning. This is especially handy when every character counts — for example, in security testing, when crafting XSS payloads
within strict character limits. It’s also useful to circumvent input validation. For example, SSRF protection mechanisms can be bypassed when an attacker uses ₁₂₇.₀.₀.₁ instead of 127.0.0.1 to trick application-layer
validation functions.
Beyond infosec, it opens doors for creative domain branding by using unique Unicode symbols that look cool but behave exactly like standard ASCII domains. In short, this technique offers both technical advantages in security and development, and branding opportunities for domain owners.
This should pop up an alert box, showing you that ㎣.uk behaves just like mm3.uk. Feel free to use this 19 char payload to test for XSS in length constrained input fields and parameters.