Vulnerability Scanning of Chinese & Russian Web Applications¶
An empirical study using automated OWASP-based scanning of the top 50 websites in China and Russia, revealing that even the largest web properties remain susceptible to basic security vulnerabilities.
Abstract¶
This paper presents an empirical study of vulnerability scanning for web applications. We automate an open-source tool and conduct experiments to analyze which web applications are susceptible to common exploits listed by the Open Web Application Security Project (OWASP). We scan the top 25 websites of China and the top 25 websites of Russia, and present and analyze the results. Our findings show that even the most popular websites in major countries are susceptible to basic web application vulnerabilities, with approximately 15% of discovered issues classified as High or Medium risk.
Key Contributions¶
- Automated vulnerability scanning of 50 major websites (top 25 in China, top 25 in Russia) using the OWASP ZAP proxy running in Docker containers, driven by Python and Bash automation scripts
- Discovered 388 vulnerabilities across Chinese websites (13 High, 44 Medium, 194 Low) and 301 across Russian websites (11 High, 29 Medium, 174 Low), confirming that top-tier web properties are not immune to basic exploits
- Approximately 15% of discovered vulnerabilities in both regions were classified as High or Medium risk, validating the hypothesis that major companies often lack basic OWASP Top 10 protections
- Designed a reproducible scanning pipeline with Docker Compose, automated Bash scripts for batch scanning, and multi-format report generation (HTML, JSON, XML, Markdown)
- Compared the two regions and found similar vulnerability distributions, suggesting these security gaps are not region-specific
Links¶
- PDF: to be hosted
- arXiv / TechRxiv: to be added