All of the top three hosting company web sites this month had the same number of failed requests - five each. The top three hosting companies are therefore ranked based on performance and the average connection times to their sites.

Datapipe was the best performing hosting company in September 2010. Datapipe has datacentres in the U.S., the U.K. and China. The company has a strong sustainability policy and powers two of its American datacentres using renewable energy. Datapipe has consistently performed well, having been in the top ten every month since last November.

This month's second best performing hoster was UK-based Netcetera. Netcetera was founded in 1996 and provides co-location, dedicated servers and managed hosting.

The third best performing this month was Virtual Internet, also a UK-based hoster founded in 1996. The company primarily provides managed hosting services, focusing on high availability and resilience.

Six of the top ten hosting company web sites this month are running Linux.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Information on the measurement process and current measurements is available.

Earlier this morning, an Australian teenager discovered a new cross-site scripting vulnerability on twitter.com. Just a couple of hours later, hackers used the same flaw to launch a massive XSS worm attack against Twitter users.

By posting specially crafted tweets, zzap noticed he could get other Twitter users to execute arbitrary JavaScript whenever they moved the mouse cursor over the affected messages.

zzap appears to have discovered the vulnerability shortly after seeing RainbowTwtr's colourful use of CSS injection to display the colours of the rainbow.

Using a similar technique, zzap was able to inject an onmouseover attribute containing arbitrary JavaScript. This was first demonstrated with an "uh oh" message, which zzap recognised as an XSS vulnerability.

zzap (jokingly?) suggested that nobody should tell the 4chan forum about the XSS vulnerability; however, some other users have already started Rickrolling other users by tweeting Rick Astley lyrics in pop-up JavaScript alert messages. It is feasible for much larger JavaScript payloads to be loaded from external websites, which could allow complex cross-site request forgery attacks (CSRF) against authenticated Twitter users.

zzap later demonstrated that it was possible to steal cookies from Twitter users, by displaying the contents in another pop-up message. This could be mitigated to some extent if Twitter used the HttpOnly attribute for their cookies — this would prevent injected scripts from being able to directly access the document.cookie value.

Although the XSS exploits demonstrated by zzap were mostly harmless, some users were nonetheless baffled by the unexpected behaviour and concluded that Twitter had been hacked:

zzap told another Twitter user that the flaw could be used to steal account information, while one of his other examples made the obvious point:

Rather impressively (and also unfortunately), it took less than 2 hours for hackers to exploit this vulnerability in a wide scale fashion. Many users have already been targeted by scripts which attempt to propagate in a worm-like fashion, or load larger JavaScript payloads from external locations.

Searching Twitter for "onmouseover" shows many of the different attack vectors currently being exploited and propagated:

The vulnerability is still present right now, but John Adams at Twitter Security responded to Netcraft within just a few minutes to say they are looking into it.

In the September 2010 survey we received responses from 227,225,642 sites.

This month saw the number of responses to our survey increase by nearly 14M sites and a change in web server market share similar to last month's, with Apache continuing to gain at Microsoft and Google's expense. Notable increases include a 1.5M gain in hostnames for Servage, an almost 700% increase over last month, and gains of around 500k hostnames at ThePlanet.com, SAVVIS and GoDaddy.

Apache experienced a smaller jump in market share this month compared with last despite gaining more hostnames, with an increase of just over 10M. This growth was fairly widely spread across a variety of hosters and it boosted Apache's market share by another percentage point.

Microsoft gained over a million hostnames but it was not enough to prevent a loss of nearly 1 percentage point of market share.

lighttpd's large gains in August were not repeated this month and instead saw a slight drop in hostnames and market share.

nginx also gained 1M hostnames, but with little effect on its market share. nginx continues its slow but steady rise in market share amongst the Million busiest sites. Over the last two years nginx has risen from just under 20k sites to nearly 55k, while Microsoft has lost the same number of sites.

Rackspace was the most reliable hosting company in August 2010. Rackspace, which has data centres across the U.S., U.K. and Hong Kong, has recently expanded their UK headquarters in Middlesex, to cater for EMEA based customers.

Last month's most reliable hosting company, New York Internet, comes in at second place this month. New York Internet host part of the FreeBSD Project's infrastructure at their recently opened data centre based in Bridgewater, New Jersey.

This month's third most reliable hosting company is U.K. based Virtual Internet with data centres present in Manchester and London. Fourth is low-cost shared hosting provider One.com and fifth is Qube Managed Services Limited with data centres based in London, New York and Zurich.

In the top 10 this month, all but 2 companies run Linux and there was an average of 0.03% failed requests to their sites from our performance collectors.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Information on the measurement process and current measurements is available.

For the second time this year, New York Internet was found to be the most reliable hosting company website. Its data centre is situated at the intersect of two separate power grids and has high-bandwidth connectivity partners AboveNet, Verizon Business, Optimum Lightpath, and AT&T to offer full redundancy and added capacity. The company recently opened a 40,000 square foot facility in Bridgewater, New Jersey.

Last month's most reliable hoster, INetU, is now second on our table - failing to respond to only 3 of our requests.

For a second consecutive month Multacom, who run FreeBSD, are fourth on our table. Multacom was founded in 1997 in Orange County, California and later incorporated under Multacom Corporation with corporate office in Canyon Country, California and Datacenters in downtown Los Angeles.

This month also sees the lowest average failed requests across the top 10 most reliable hosters (at 0.013%) since October 2009 (0.007%). Additionally, Swishmail enters the top 10 this month running FreeBSD; this means that there are now 5 hosting companies running FreeBSD, 4 running Linux and 1 running Windows Server 2003.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage.

Information on the measurement process and current measurements is available.