Usage Guide

This page provides a detailed reference for all of shortscan's command-line arguments.

Synopsis

shortscan [OPTIONS] URL [URL ...]

Positional Arguments

  • URL: One or more URLs to scan. You can also provide a file containing a list of URLs by prefixing the filename with @ (e.g., @urls.txt).

Options

Here is a comprehensive list of all available flags to customize your scan.

Targeting & Requests

  • --wordlist FILE, -w FILE Specifies a custom wordlist or rainbow table. This is used for the autocomplete and de-checksumming features. See the documentation for the Shortscan Utility to learn how to generate a custom rainbow table.

  • --header HEADER, -H HEADER Sends a custom HTTP header with each request. This option can be used multiple times to send multiple headers. For example: -H 'Host: internal.host' -H 'Cookie: session=...'.

  • --concurrency CONCURRENCY, -c CONCURRENCY Sets the number of concurrent requests to make. The default value is 20.

  • --timeout SECONDS, -t SECONDS Sets the timeout in seconds for each individual HTTP request. The default value is 10.

Output & Verbosity

  • --output format, -o format Determines the output format. Options are human (default, colorized text) or json (machine-readable). For details on the JSON structure, see the Output Formats page.

  • --verbosity VERBOSITY, -v VERBOSITY Controls the level of logging detail.

    • 0 (default): Quiet. Only shows warnings, errors, and final results.
    • 1: Debug. Shows informational messages about the scan process.
    • 2: Trace. Shows every request and response, useful for deep debugging.

  • --fullurl, -F When a full filename is successfully autocompleted, this flag makes shortscan display the full URL instead of just the filename. Default is false.

Scan Behavior

  • --norecurse, -n Disables the automatic detection and scanning of subdirectories found during enumeration. Default is false.

  • --stabilise, -s This option is useful for unstable servers that give inconsistent responses. It increases the number of baseline requests to get a more reliable picture of the server's behavior, at the cost of sending more total requests. Default is false.

  • --patience LEVEL, -p LEVEL Adjusts the thoroughness of the initial vulnerability check.

    • 0 (patient, default): Tries a common subset of HTTP methods and path suffixes.
    • 1 (very patient): Tries a much larger set of HTTP methods and suffixes, which may find the vulnerability on unusually configured servers but is much slower.

  • --characters CHARACTERS, -C CHARACTERS Specifies the set of characters to use when enumerating filenames and extensions. The default set is a curated list of commonly used characters: JFKGOTMYVHSPCANDXLRWEBQUIZ8549176320-_()&'!#$%@^{}~.

  • --autocomplete mode, -a mode Controls the full-filename discovery feature. See Core Concepts for a detailed explanation of these modes.

    • auto (default): Automatically selects the best method (method or status).
    • method: Uses non-standard HTTP methods to check for file existence.
    • status: Compares HTTP status codes of potential files against a baseline.
    • distance: Compares the Levenshtein distance of response bodies.
    • none: Disables the autocomplete feature entirely.

  • --isvuln, -V A quick check mode. shortscan will exit immediately after determining whether the target is vulnerable, without performing any file enumeration. Default is false.

Help & Version

  • --help, -h: Displays the help message and exits.
  • --version: Displays the version of shortscan and exits.

Examples

  • Set multiple custom headers:

    shortscan -H 'Host: gibson' -H 'Authorization: Basic ZGFkZTpsMzN0' http://127.0.0.1/

  • Perform a vulnerability check only:

    shortscan --isvuln http://example.org/