Output Formats

Shortscan provides two output formats, controlled by the --output (-o) flag. This allows the tool to be used both interactively by a user and as part of an automated toolchain.

Human-Readable (human)

This is the default format. It's designed for easy reading in a terminal, with color-coding to highlight key information.

Example Output

๐ŸŒ€ Shortscan v0.9.2 ยท an IIS short filename enumeration tool by bitquark

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
URL:         http://example.org/
Running:     Microsoft-IIS/8.5
Vulnerable:  Yes!
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
WEB~1.CON            WEB.config                   web.config
APP_DA~1/            APP_DA?A/                      app_data/
BIN~1/               BIN?/                          bin/
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Finished! Requests: 2893; Retries: 1; Sent 159115 bytes; Received 34716 bytes
  • Green Text: Indicates a confirmed part of a filename or a fully autocompleted filename.
  • Black/Gray Text: Indicates an uncertain part of a filename (e.g., when the name exceeds the tool's search depth).

JSON (json)

When specified with --output json, shortscan prints a series of newline-delimited JSON objects. This format is ideal for parsing with scripts or piping to other tools like jq.

There are three types of JSON objects that can be emitted, identified by the type field.

Status Object

This object is printed once per URL scan, indicating the target's vulnerability status.

  • Schema:

    • type: (string) Always "status".
    • url: (string) The base URL being scanned.
    • server: (string) The value of the Server HTTP header, if present.
    • vulnerable: (boolean) true if the target is vulnerable, otherwise false.

  • Example:

    {"type":"status","url":"http://example.org/","server":"Microsoft-IIS/8.5","vulnerable":true}

Result Object

This object is printed for each short filename that is discovered.

  • Schema:

    • type: (string) Always "result".
    • fullmatch: (boolean) true if the full filename was successfully discovered via autocomplete.
    • baseurl: (string) The base URL where the file was found.
    • shortfile: (string) The file part of the short name (e.g., "WEB").
    • shortext: (string) The extension part of the short name (e.g., ".CON").
    • shorttilde: (string) The tilde part of the name (e.g., "~1").
    • partname: (string) A representation of the partially-discovered name, with ? indicating uncertainty.
    • fullname: (string) The discovered full filename. Empty if fullmatch is false.

  • Example (Full Match):

    {"type":"result","fullmatch":true,"baseurl":"http://example.org/","file":"WEB","ext":".CON","tilde":"~1","partname":"WEB.CON","fullname":"web.config"}

  • Example (Partial Match):

    {"type":"result","fullmatch":false,"baseurl":"http://example.org/","file":"LONGFI","ext":".ASP","tilde":"~1","partname":"LONGFI?.ASP?","fullname":""}

Statistics Object

This object is printed at the very end of the entire run, summarizing the network activity.

  • Schema:

    • type: (string) Always "statistics".
    • requests: (integer) Total number of HTTP requests made.
    • retries: (integer) Total number of retries for failed requests.
    • sentbytes: (integer) Total bytes sent.
    • receivedbytes: (integer) Total bytes received.

  • Example:

    {"type":"statistics","requests":2893,"retries":1,"sentbytes":159115,"receivedbytes":34716}