Content Sniffing Metrics - Web Security Research at Berkeley

Content Sniffing Data

Data as of September 26, 2008

Content-Types That Activated the Sniffer

Scale: out of 100%. Only responses with these Content-Types will activate the content sniffer. Not all mime types can be sniffed from all Content-Types. No data was recorded about what percent of requests activate the sniffer.

Content-Type	Quantity
text/plain	32.64%
text/xml	30.38%
(No Content-Type)	14.25%
application/octet-stream	12.90%
application/xml	9.71%
(Bogus, aka no "/")	0.0833%
application/unknown	0.0201%
unknown/unknown	0.0144%
/	0.0057%

Magic Numbers

Scale: out of 100%. The content sniffer looks for the magic number (expressed here in C notation) at the start of the HTTP response. The sniffer only examines HTTP responses with certain Content-Type headers (see below), so this data reflects only responses with those Content-Type headers.

Magic Number	Sniffed Content Type	Quantity
\xFF\xD8\xFF	image/jpeg	73.2369%
GIF89a	image/gif	16.8166%
\x89PNG\x0D\x0A\x1A\x0A	image/png	6.8840%
MZ	application/octet-stream	0.9108%
Rar!\x1A\x07\x00	application/x-rar-compressed	0.6699%
BM	image/bmp	0.3730%
GIF87a	image/gif	0.3141%
"\x30\x26\xB2\x75\x8E\x66\xCF\x11" "\xA6\xD9\x00\xAA\x00\x62\xCE\x6C"	video/x-ms-asf	0.2431%
PK\x03\x04	application/zip	0.2178%
ID3	audio/mpeg	0.1772%
%PDF-	application/pdf	0.07913%
\x1F\x8B\x08	application/x-gzip	0.03149%
\x2E\x52\x4D\x46	audio/x-pn-realaudio	0.02904%
\xD7\xCD\xC6\x9A	application/x-msmetafile	0.004032%
LN\x02\x00	application/winhlp	0.002070%
\xC5\xD0\xD3\xC6	application/postscript	0.001940%
{\\rtf1	application/rtf	0.001589%
\x4A\x47\x04\x0E\x00\x00\x00	image/x-jg	0.001193%
#!	text/plain	0.001185%
II*	image/tiff	< 0.001%
"\x7F" "ELF"	application/octet-stream	< 0.001%
\xE9	application/octet-stream	< 0.001%
\xE8	application/octet-stream	< 0.001%
%!PS-Adobe-	application/postscript	< 0.001%
\xEB	application/octet-stream	< 0.001%
From	text/plain	< 0.001%
MM\x00*	image/tiff	< 0.001%
\x1F\x9D\x90	application/x-compress	< 0.001%
?_\x03	application/winhlp	< 0.001%
\x00\x00\x20\x00	image/x-icon	< 0.001%
\x4A\x47\x03\x0E\x00\x00\x00	image/x-jg	< 0.001%
#define\x20	image/x-xbitmap	< 0.001%
\x00\x00\x10\x00	image/x-icon	< 0.001%
#%	text/plain	< 0.001%
P5\x0A	image/x-portable-graymap	< 0.001%
">\x20" "From"	text/plain	none
\x01\xDA\x01\x01\x00\x03	image/x-rgb	none
BZ	application/x-bzip2	none
I\x20I	image/tiff	none
\x4A\x47\x04\x0E\x00\x00\x00	image/x-jg	none
{\\rtf1	application/rtf	none

Byte Order Marks

Scale: out of 22.52%. The sniffer checks for a byte order mark at the beginning if certain HTTP responses.

Mark	Charset	Quantity
\xEF\xBB\xBF	UTF-8	17.4296%
\xFF\xFE	UTF-16LE	5.0548%
\xFE\xFF	UTF-16BE	0.03246%
\x00\x00\xFE\xFF	UCS-4BE	< 0.0001%

HTML Tags

Scale: out of 22.19%. When scanning for HTML tags, the sniffer first skips any leading white space and then looks for the tags below. The checks are case insensitive, except for "<?xml".

Tag	Quantity
<script	20.1647%
<html	1.5660%
<?xml	1.3761%
<!--	0.5394%
<head	0.3771%
<!DOCTYPE html	0.3299%
<iframe	0.3210%
<h1	0.2700%
<div	0.07008%
<font	0.05681%
<table	0.04286%
<a	0.03166%
<style	0.01501%
<title	0.01174%
<b	0.003531%
<body	0.002923%
<br	0.002834%
<p	0.002581%
<meta	0.001616%
<form	0.001345%
<img	0.001251%
<center	< 0.001%
<h3	< 0.001%
<tr	< 0.001%
<link	< 0.001%
<h2	< 0.001%
<frameset	< 0.001%
<h4	< 0.001%
<base	< 0.001%
<td	< 0.001%
<pre	< 0.001%
<basefont	none
<applet	none
<isindex	none
<h5	none
<h6	none