An application server is typically a super-set of a web server, which is to say that an application server can do what a web server does (i.e. answer HTTP socket requests on port 80 and HTTPS socket requests on port 443).
Web servers are generally very expandable, by means of APIs such as CGI, fast-cgi, ISAPI, NSAPI, and a thousand more modern variations of the same. In other words, web servers do support programmatic extension, and as such, are technically capable of hosting almost any application.
While web servers are basically file-centric (they are file servers that happen to support HTTP instead of SMB or CIFS), application servers are application-centric. This tends to imply: Application management (including life-cycle, security, monitoring, etc.), application packaging and (re-)deployment support, and application runtime services.
The runtime services dramatically affect the way in which one builds an application. For example, in Java EE, there are standard ways in which application components manage transactions, access data sources (including connection pooling functionality), send and receive messages, handle incoming HTTP requests, manage user sessions, authenticate and authorize access to resources, etc.
In Java EE, there is a formal packaging and deployment definition as well, which allows independently- and separately-built server-side components and libraries to be brought together into a single deployment unit. Most application servers support deployment (and subsequent re-deployment) of such an application, even to a running cluster of servers.
Organizations have invested heavily in the tooling and automation around application server platforms, including integration with their corporate-wide security standards; auditing and automated log collection; upgrade, back-up, and data retention policies; privacy, internationalization, localization and accessibility efforts; virtualization, provisioning, and scale-out infrastructure; and of course the application development knowledge-base and practices themselves -- which is to say that even when an application server may be technically "over-kill" for a particular application, it may still be more cost-effective and lower risk to use because of the other "sunk" investments.
As with any standardization or "higher level service", everything that is possible with an application server is possible to be built without an application server. The real question is whether the benefits of the built-in capabilities of an application server (and the network effect of the other tooling and infrastructure that organizations have invested in) outweigh the costs; for most businesses, the answer has been "yes".