Fingerprinting of Apache web server

22:41 28.11.2009

This is English version of my Fingerprinting of Apache web server article.

Already at 10.09.2006 I created method of fingerprinting of Apache web server. This method based on feature of Apache, which I found at that time during security researches at my localhost (on Apache 1.3.23).

Feature of Apache.

There is interesting feature of Apache web server, which lie in that for accessing to file it’s possible to not set its extension. As I found recently, this future concerned with MultiViews option (if it’s turned on, which is by default).

I.e. for accessing to file robots.txt at the site, request can be made to file robots.txt:


Or request can be made to file robots (without extension):


I.e. with making of request to file without setting of its extension, Apache will show file (which can have arbitrary extension at the server) after making of auto-addition of extension.

At that it concerns only those extensions, which is known by Apache. I.e. those ones, MIME type of which is known by Apache (which sets in settings of web server, particularly in mime.types). Order of auto-addition of extensions also sets in settings of web server.

For example, according to settings of my Apache, if to place test.html, test.txt and test.xml at the server, then at request to file test:


Content of test.xml will be shown, i.e. xml extension is going first. Html extension is going next and after that is txt extension.

Fingerprinting of Apache.

This feature can be used for identification of Apache.

For this it’s needed to find any working file at the server, which name and extension is known. For example, page.html. And after that to send two requests: http://site/page.html and http://site/page.

If in both cases there will be shown content of the same file and, which is the most important, there will be no error 404, then this web server is Apache.

Searching for hidden information.

Also this feature can be used for searching for hidden information at the sites. On which this feature of Apache will lead to information leakage.

For example, if there is a file secret.ext at the site, which extension (ext) can be complex (non-standard), or can be standard. To find this file there is no need to guess its full name (with extension), and it’ll be enough to guess only name without extension. Which allows to find this hidden file much faster.


I have happened to use this feature of Apache on own experience during security audit to find hidden information at the site, admin of which didn’t expect that somebody would find this information.

Affected versions.

This feature works in Apache 1.x - tested in Apache 1.3.23 and Apache 1.3.37. Also it works in Apache 2.x, but I haven’t happened to meet such sites on Apache 2.x. So all versions of Apache with turned on MultiViews have this feature.

For example, Google also isn’t using extensions in some scripts at their sites - - but they are using server GWS and it’s there such name set for web application. Besides Apache I haven’t happened to meet other web servers with such feature.

6 відповідей на “Fingerprinting of Apache web server”

  1. DiabloHorn каже:


    interesting I wrote a small script for this a while ago:

    The feature is indeed been known for some time now, it’s extremely nice if you want to have more results then your normal word list supports.

    It can be turned off though and a lot of web servers don’t seem to use it.


  2. MustLive каже:


    Thanks for information.

    From conversation with other reader of my site in comments I know that it is documented and known for a long time feature of Apache (MultiViews). But I looked at it from other side - I used this future for hacking purposes (for fingerprinting and information leakage). I.e. it’s Abuse of Functionality attack on Apache.

    I created this method in September 2006 when found this Apache’s behaviour (concerned with MultiViews). Only now I found time to write the article about it. But I used this method in my practice - particularly in 2007 I used it during security audit to find hidden information at the site of my client.

    It can be turned off though and a lot of web servers don’t seem to use it.

    Yes, you are right. Mostly it’s turned off nowadays at web sites in Internet, but earlier I found more web sites with it’s turned on. Even with not large prevalence, this method is interesting and can be used for fingerprinting and information leakage attacks.

  3. DiabloHorn каже:

    Yeah I can understand that. I think we both agree that it is a nice method for additional information if it’s enabled.


  4. MustLive каже:

    I wrote a small script for this a while ago

    You used module mod_negotiation as attack vector, and I used MultiViews option as attack vector. It’s different attack vectors with similar idea. I never used mod_negotiation, so I’d read more about it and about your method of attack.

    Automation of brute-forcing filenames at the servers it’s good thing ;-) , so everyone who interested can take a look at your script.

    it is a nice method for additional information if it’s enabled.


  5. DiabloHorn каже:

    as far as I know it’s part of mod_negotiation…oh well as long as the result is a nice list of files I’m happy ;)

  6. MustLive каже:


    This method works with both mod_negotiation and MultiViews. But they are different features of Apache.

    as far as I know it’s part of mod_negotiation

    MultiViews is a built-in feature of Apache. It works without mod_negotiation or any other module (it’s core feature) - it works on my Apache 1.3.23 and I haven’t mod_negotiation module. So attacks on MultiViews feature can work on any site on Apache with or without mod_negotiation ;-) (just MultiViews needs to be turned on).

    I got to know about this module recently, when was publishing my article, when I was looking about information if Apache 2 support MultiViews. Yes it does support it (and I also found that there is such mod_negotiation module for Apache 1.3.x and 2.x).

    I just looked at Apache Module mod_negotiation documentation and as I saw - this module support the same feature as MultiViews and much more (it’s more advanced variant of it). If there is such module on server it overrides MultiViews functionality to itself (and adds new functionality) and if there is no such module, then built-in MultiViews works.

Leave a Reply

You must be logged in to post a comment.