This is English version of my Fingerprinting of Apache web server article.
Already at 10.09.2006 I created method of fingerprinting of Apache web server. This method based on feature of Apache, which I found at that time during security researches at my localhost (on Apache 1.3.23).
Feature of Apache.
There is interesting feature of Apache web server, which lie in that for accessing to file it’s possible to not set its extension. As I found recently, this future concerned with MultiViews option (if it’s turned on, which is by default).
I.e. for accessing to file robots.txt at the site, request can be made to file robots.txt:
http://site/robots.txt
Or request can be made to file robots (without extension):
http://site/robots
I.e. with making of request to file without setting of its extension, Apache will show file (which can have arbitrary extension at the server) after making of auto-addition of extension.
At that it concerns only those extensions, which is known by Apache. I.e. those ones, MIME type of which is known by Apache (which sets in settings of web server, particularly in mime.types). Order of auto-addition of extensions also sets in settings of web server.
For example, according to settings of my Apache, if to place test.html, test.txt and test.xml at the server, then at request to file test:
http://site/test
Content of test.xml will be shown, i.e. xml extension is going first. Html extension is going next and after that is txt extension.
Fingerprinting of Apache.
This feature can be used for identification of Apache.
For this it’s needed to find any working file at the server, which name and extension is known. For example, page.html. And after that to send two requests: http://site/page.html and http://site/page.
If in both cases there will be shown content of the same file and, which is the most important, there will be no error 404, then this web server is Apache.
Searching for hidden information.
Also this feature can be used for searching for hidden information at the sites. On which this feature of Apache will lead to information leakage.
For example, if there is a file secret.ext at the site, which extension (ext) can be complex (non-standard), or can be standard. To find this file there is no need to guess its full name (with extension), and it’ll be enough to guess only name without extension. Which allows to find this hidden file much faster.
http://site/secret
I have happened to use this feature of Apache on own experience during security audit to find hidden information at the site, admin of which didn’t expect that somebody would find this information.
Affected versions.
This feature works in Apache 1.x - tested in Apache 1.3.23 and Apache 1.3.37. Also it works in Apache 2.x, but I haven’t happened to meet such sites on Apache 2.x. So all versions of Apache with turned on MultiViews have this feature.
For example, Google also isn’t using extensions in some scripts at their sites - http://www.google.com/search - but they are using server GWS and it’s there such name set for web application. Besides Apache I haven’t happened to meet other web servers with such feature.