Fair Use: Please note that use of the Netcraft Blog is subject to our Fair Use and Copyright policies. For more information, please visit http://news.netcraft.com/fair-use-copyright, or email info@netcraft.com.

  1. Twitter users fall victim to new XSS worm

    Earlier this morning, an Australian teenager discovered a new cross-site scripting vulnerability on twitter.com. Just a couple of hours later, hackers used the same flaw to launch a massive XSS worm attack against Twitter users.

    By posting specially crafted tweets, zzap noticed he could get other Twitter users to execute arbitrary JavaScript whenever they moved the mouse cursor over the affected messages.

    zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow.

    Using a similar technique, zzap was able to inject an onmouseover attribute containing arbitrary JavaScript. This was first demonstrated with an "uh oh" message, which zzap recognised as an XSS vulnerability.

    zzap (jokingly?) suggested that nobody should tell the 4chan forum about the XSS vulnerability; however, some other users have already started Rickrolling other users by tweeting Rick Astley lyrics in pop-up JavaScript alert messages. It is feasible for much larger JavaScript payloads to be loaded from external websites, which could allow complex cross-site request forgery attacks (CSRF) against authenticated Twitter users.

    zzap later demonstrated that it was possible to steal cookies from Twitter users, by displaying the contents in another pop-up message. This could be mitigated to some extent if Twitter used the HttpOnly attribute for their cookies — this would prevent injected scripts from being able to directly access the document.cookie value.

    Although the XSS exploits demonstrated by zzap were mostly harmless, some users were nonetheless baffled by the unexpected behaviour and concluded that Twitter had been hacked:

    zzap told another Twitter user that the flaw could be used to steal account information, while one of his other examples made the obvious point:

    Rather impressively (and also unfortunately), it took less than 2 hours for hackers to exploit this vulnerability in a wide scale fashion. Many users have already been targeted by scripts which attempt to propagate in a worm-like fashion, or load larger JavaScript payloads from external locations.

    Searching Twitter for "onmouseover" shows many of the different attack vectors currently being exploited and propagated:

    The vulnerability is still present right now, but John Adams at Twitter Security responded to Netcraft within just a few minutes to say they are looking into it.

    Posted by Paul Mutton on 21st September, 2010 in Security with the following tags , , , | Share

  2. September 2010 Web Server Survey

    In the September 2010 survey we received responses from 227,225,642 sites.

    This month saw the number of responses to our survey increase by nearly 14M sites and a change in web server market share similar to last month's, with Apache continuing to gain at Microsoft and Google's expense. Notable increases include a 1.5M gain in hostnames for Servage, an almost 700% increase over last month, and gains of around 500k hostnames at ThePlanet.com, SAVVIS and GoDaddy.

    Apache experienced a smaller jump in market share this month compared with last despite gaining more hostnames, with an increase of just over 10M. This growth was fairly widely spread across a variety of hosters and it boosted Apache's market share by another percentage point.

    Microsoft gained over a million hostnames but it was not enough to prevent a loss of nearly 1 percentage point of market share.

    lighttpd's large gains in August were not repeated this month and instead saw a slight drop in hostnames and market share.

    nginx also gained 1M hostnames, but with little effect on its market share. nginx continues its slow but steady rise in market share amongst the Million busiest sites. Over the last two years nginx has risen from just under 20k sites to nearly 55k, while Microsoft has lost the same number of sites.

    Total Sites Across All Domains
    August 1995 - September 2010

    Total Sites Across All Domains, August 1995 - September 2010


    Market Share for Top Servers Across All Domains
    August 1995 - September 2010

    Graph of market share for top servers across all domains, August 1995 - September 2010


    DeveloperAugust 2010PercentSeptember 2010PercentChange
    Apache119,664,12856.06%129,782,94857.12%1.06
    Microsoft53,434,58625.03%54,787,16724.11%-0.92
    Google15,526,7817.27%15,312,7516.74%-0.53
    nginx11,713,6075.49%12,779,5505.62%0.14
    lighttpd1,821,8240.85%1,818,0320.80%-0.05
    (more...)

    Posted by Netcraft on 17th September, 2010 in Web Server Survey Share

  3. Most Reliable Hosting Company Sites in August 2010

    Rank Company site OS Outage
    hh:mm:ss    		 Failed
    Req%    		 DNS Connect First
    byte    		 Total
    1 Rackspace Linux 0:00:00 0.026 0.057 0.042 0.084 0.084
    2 New York Internet FreeBSD 0:00:00 0.026 0.163 0.047 0.105 0.257
    3 Virtual Internet Linux 0:00:00 0.026 0.250 0.111 0.379 0.692
    4 One.com Linux 0:00:00 0.030 0.218 0.085 0.170 0.170
    5 www.qubenet.net Linux 0:00:00 0.030 0.135 0.104 0.214 0.757
    6 www.uk2.net Linux 0:00:00 0.037 0.247 0.114 0.232 0.605
    7 www.peer1.com Linux 0:00:00 0.041 0.225 0.010 0.028 0.071
    8 www.serverbeach.com Linux 0:00:00 0.041 0.163 0.010 0.070 0.104
    9 Datapipe FreeBSD 0:00:00 0.041 0.179 0.034 0.070 0.102
    10 iWeb Technologies Linux 0:00:00 0.041 0.164 0.100 0.201 0.201

    See full table

    Rackspace was the most reliable hosting company in August 2010. Rackspace, which has data centres across the U.S., U.K. and Hong Kong, has recently expanded their UK headquarters in Middlesex, to cater for EMEA based customers.

    Last month's most reliable hosting company, New York Internet, comes in at second place this month. New York Internet host part of the FreeBSD Project's infrastructure at their recently opened data centre based in Bridgewater, New Jersey.

    This month's third most reliable hosting company is U.K. based Virtual Internet with data centres present in Manchester and London. Fourth is low-cost shared hosting provider One.com and fifth is Qube Managed Services Limited with data centres based in London, New York and Zurich.

    In the top 10 this month, all but 2 companies run Linux and there was an average of 0.03% failed requests to their sites from our performance collectors.

    Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

    From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

    Information on the measurement process and current measurements is available.

    Posted by Netcraft on 16th September, 2010 in Performance Share