Although JSP has a tiny fraction of the installed base of PHP and ASP, and numbers of specialist servlet web servers are completely dwarfed by Apache and Microsoft-IIS, Java related technology has a much bigger impact on the Web than the raw site numbers suggest. Over the last year JSP has been the fastest growing scripting technology after ASP.NET. JSP sites are often bigger, more complex, and better funded and run by larger organisations than sites using the more common scripting technologies.
The higher investment on these sites makes them attractive targets for hosting and site development companies, while the relatively large number of players in the application server market means that they are likely recipients of competitive upgrade offers. With Windows 2003 launching later on this month and providing some application server functionality out of the box, it is also likely that Java based sites will be strenuously encouraged to evaluate the .Net Framework.
Tracking sites using Java based application servers is not straightforward, and often requires inspection of the site content. In particular, sites using Microsoft-IIS or Netscape-Enterprise as a web server may be running servlet engines that do not provide a signature in the HTTP server header and tracking these servers has to be done through analysis of the site content.
With the proviso that a better and more accurate view can be had by taking more content from the site, and that sites using Servlet Engines with Apache, Microsoft and SunONE web servers would be not be included by this view, it is still possible to take a quick and simple view of what is going on from the HTTP server headers.
Java Servlet Engines, April 2003
By IP Address
Ratio Tomcat 9253 64532 6.97 Resin 9059 138664 15.31 IBM 9049 38730 4.28 Oracle 5156 18072 3.51 WebLogic 1716 6819 3.97 Orion 1062 6358 5.99 Jetty 635 1865 2.94 JavaWebServer 388 949 2.45 SilverStream 370 966 2.61 JRun (*) 264 17859 67.65
From the table, Resin, Tomcat, IBM and Oracle are popular choices for those websites that support Java-based web applications.
This is not an exhaustive list of servlet engines - for example some older engines, such as Apache JServ, still have a wide presence across the net, but are now deprecated in favour of newer implementations.
(*) The high ratio of sites per address for JRun are caused by two hosts that support many thousands of sites.
In the March 2003 survey we received responses from 39,174,349 sites.
Market Share for Top Servers Across All Domains August 1995 - March 2003
Developer February 2003 Percent March 2003 Percent Change Apache 22492327 62.72 244 86857 62.51 -0.21 Microsoft 9687454 27.01 1 0748795 27.44 0.43 Zeus 768951 2.14 794940 2.03 -0.11 SunONE 428004 1.19 419120 1.07 -0.12
Windows 2000 goes past one million IP addresses for the first time this month. Including sites running NT4 and Windows 2003, there are slightly over 1.5 million internet web sites running a Microsoft operating system.
On 17th March Microsoft issued a security alert regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. The vulnerability is triggered by the Microsoft-IIS/5.0 implementation of the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol and is specific to Microsoft-IIS/5.0 - WebDAV was not supported in Microsoft-IIS/4.0, and Microsoft-IIS/6.0 is reported to be unaffected.
Microsoft-IIS/5.0 runs about 9 million web sites on just over 1 million ip addresses, making it the most widely deployed web server that has WebDAV enabled by default. Many sites disable WebDAV: best practice dictates that features that are not used should be disabled, and the IIS Lockdown tool recommended by Microsoft can disable WebDAV. However, although the number of sites that have disabled WebDAV is significant, our own data indicates that around three quarters of Microsoft-IIS/5.0 servers have WebDAV enabled, implying that at the time of announcement there were over 6 million vulnerable web sites.
The actual vulnerability occurs in a system DLL called by the WebDAV component, not in the WebDAV support itself. There may be ways to exploit this vulnerability via other components, or even other products. There is believed to be an exploit already in the wild for this vulnerability, and Windows 2000 administrators should apply the patch as soon as possible. CERT have issued an advisory (CA-2003-09), and Microsoft have issued a patch (see bulletin MS03-007).
The patch requires a reboot to become effective, and we have noticed that over half of the Microsoft-IIS/5.0 servers on the internet were rebooted during a two day period after the annoucement. The number of sites rebooting sets a lower bound on the uptake of the patch [a reboot is necessary as part of the patch installation] but will overstate the number of patched systems, as some sites will have rebooted for other reasons.
In the February 2003 survey we received responses from 35,863,952 sites.
Market Share for Top Servers Across All Domains August 1995 - February 2003
Developer January 2003 Percent February 2003 Percent Change Apache 22,045,420 62.23 22,492,327 62.72 0.49 Microsoft 9,739,590 27.49 9,687,454 27.01 -0.48 Zeus 736,744 2.08 768,951 2.14 0.06 SunONE 471,942 1.33 428,004 1.19 -0.14
One of the goals of Apache/2.0 was to better support operating systems other than Unix. While the Windows version of Apache/1.3 was advertised as experimental, it was hoped that in Apache/2.0 it would become much more widely established. However, since the first general release of Apache/2.0 there have been a string of security problems in the Windows (and other non-Unix) versions that may undermine confidence in the suitability of Apache for these platforms.
Windows Apache entries listed at mitre.org's common vulnerabilities database include directory traversal using dot-dot paths, revealing script source by appending invalid characters, and DOS device names causing a denial-of-service. The striking thing is that these are sterotypical vulnerabilities that over the years many other products have suffered from, and fixed. Apache developers will be disappointed that they were not able to learn from other people's mistakes sufficiently well to pre-empt the same vulnerabilities appearing in their own server.
In the current month's survey we find over 16,000 Apache Win32 sites on the 'Web which may be vulnerable to one of these problems.
Notwithstanding the security problems, the support for threading in Apache/2.0 is a major performance breakthrough for the Windows version and consquently sites using Apache on Windows have a bigger incentive to upgrade to version 2 than sites on Unix. This is reflected in the relative uptake of Apache/2.0: a little over 1% of all Apache sites are running version 2, but amongst Windows servers the proportion is over 7%.