LATER EDIT : Could it be that IIS is not case sensitive for URLs and Apache is and someone could use this information to further increase the confidence factor in OS/WebServer detection?
I was reading about the useful UrlScan tool here and came across
IIS 6.0 does not include the
RemoveServerHeader feature because
this feature offers no real security
benefit. Most server attacks are not
operating system?specific. Also, it is
possible to detect the identity of a
server and information about the
operating system by mechanisms that do
not depend on the server header.
Of course this stirred my curiosity since I don't understand how you can detect the OS and/or the web server without using the server header. However extensions (.php, .asp, .aspx, .do, .py etc. etc.) cannot be the answer to this question nor looking for "__VIEWSTATE" or similar hidden input fields in the response content.
Is there some secret way that I don't really know about?
EDIT 1 : I assume customized error pages (not the default ones which clearly show the web server; knowing the web server gives you a strong clue about the OS too)
Best Answer
Similar to OS detection, each web server has slight quirks and different behaviors under some conditions that can be detected. I don't know the precise methods of the top of my head. This is frequently done by sending invalid or unusual requests and seeing what the error message or the response is. Apache might handle a particular invalid request slightly differently from IIS.
Some of this will be masked if you have a reverse proxy or load balancer in the path. Instead of learning about your web server the curious person would learn what proxy your using.