After 10 days of execution, we gathered responses from the Alexa top 100,000 servers. We also created a dataset from the bottom 10,000 in the Alexa top 1M, which gives us a sample of smaller web sites to analyze.
Today, we began our analysis work in earnest. In addition to statistical data on the prevalence of various web servers and versions, we found some surprising information regarding the behavior of servers when asked to provide an html document as a css style sheet. Of the top 100k servers, nearly 200 exhibited the behavior that, when asked for an HTML document as a CSS style sheet, they served up the HTML document – and reported it’s mime type as CSS. This would defeat any browser side security features aimed at preventing cross origin CSS attacks through mime type enforcement.
Most disturbingly, at least one of the sites that exhibited this behavior is a well known site that handles financial information, while others involve users logging on to provide other potentially sensitive information, including a site used primarily for political purposes.
Ongoing analysis will produce more interesting results. Stay tuned to this blog to find out more.