Omer Tripp et al.[15]proposed a learning approach to Guo et al.[19]proposed a method of XSS vulnerability test XSS and realized it in XSS Analyzer.XSS Analyzer detection using optimal attack vector repertory.This method generates XSS attack vectors based on a context-free gram- develops an XSS attack vector grammar to generate XSS mar rule.It can learn the constraints in the grammar rules attack vectors automatically.It first generates basic XSS through invalid attack vectors,i.e..whose words cannot be attack vector repertory with attack vector pattern repertory included in the attack vector to bypass the defense mecha- and resource repertory.Then it applies mutation rule to nism of the web application.Experimental results show that generate the final XSS attack vector repertory.Finally,it XSS Analyzer outperforms several competing algorithms uses machine learning optimization to reduce the size of including a mature commercial algorithm featured in IBM the attack vector library.Experimental results show that Security AppScan Standard V8.5-by a far margin.But there the approach makes a good performance in detecting XSS are still shortcomings in XSS Analyzer.It applies learning vulnerability in web applications. to individual literals only.So it would consume a large Goswami et al.[20]proposed a client-server based archi- quantity of HTTP requests and can't capture complex input tecture to support XSS attack detection.An initial checking constraints involving multiple literals simultaneously.XSS for the vulnerability is carried out at the client machine to Analyzer has recently been integrated into the latest version decide whether to drop the request directly or send it to of AppScan (V8.6)instead of that algorithm. the proxy for further processing.The data collected at the Bozic J et al.[7],[16]introduced a combined approach, proxy level undergoes steps such as preprocessing,feature which comprises the area of combinatorial testing with the extraction,feature selection,etc.to detect the attack using an emphasis on test case generation for XSS attacks and the unsupervised approach.This approach effectively balances attack pattern-based testing technique for test case execution the load between the client and the server. against web applications.The generated strings were auto- There are also many tools for testing XSS vulnerability matically tested against three web applications with different Since white-box testing tools (such as Jovanovic et al.[21]) combinatorial interaction strength with highly promising ini- require access to source code,more tools use the black-box tial results.In the next work,they revised an input grammar testing method to test XSS vulnerability by constructing http for combinatorial generation of test inputs and made use of requests. constraints for another test suite.The experimental results Xenotix [22]is a penetration testing tool developed exclu- show that setting constraints inside the input model results sively to detect and exploit XSS vulnerability with zero false in significantly improved attack vectors.Next,Simos et al. positives.It uses live payload reflection-based XSS detection [17]use a modification of a combinatorial testing-based fault via powerful triple browser rendering engines,including localization method to identify XSS-inducing combinations Trident,WebKit,and Gecko.Xenotix apparently has a large which can help to better understand the root cause of an XSS XSS payload database,allowing effective XSS detection and vulnerability and provide insights about how to fix a flawed WAF bypass.The defects of Xenotix are also obvious.which sanitization function.Combinatorial test generation method uses the browser instead of the requests library.so it will may be an alternative approach for web security testing.The consume more memory and time.So it is necessary to study approach can discover the vulnerability by traversing the how to find XSS vulnerability with fewer attempts combinatorial test cases,and we can also apply the ART VI.CONCLUSION AND FUTURE WORK method here to find the vulnerability more quickly. Black-box testing is a common way to mitigate the threat Tang Z et al.[10]proposed a Webmail XSS fuzzer called of XSS vulnerability in web applications.Many black-box L-WMxD (Lexical based Webmail XSS Discoverer),which testing tools may collect a large number of payloads and works on a lexical based mutation engine.L-WMxD is an traverse them to find a payload that can be successfully active defense system to discover XSS vulnerability before injected.But when there are many different URLs in the the Webmail application is online for service.Unlike our system or the vulnerability is deeply hidden,it is not method which uses payloads collected in advance to discover very efficient.Previous research did not focus on how to the vulnerability,they make different rules corresponding to improve the efficiency of black-box testing to detect XSS different filtering strategies of Webmail server.The engine vulnerability. is initialized by normal JavaScript code called seed.Then In this paper,we convert the attack payloads into word rules are applied to the sensitive strings in the seed which are vectors and use the Jaccard coefficient to measure the dis- picked out through a lexical parser.After that,the mutation tance between the two payloads.We observe the distribution engine issues multiple test cases.Newly-generated test cases of effective payloads,and develop a tool for detecting XSS are used for XSS test. vulnerability with the ART method.The tool collects 6128 Bates et al.[18]proposed a client-side XSS filter named payloads from some open source tools and websites and uses Auditor,which is embedded by default in Google Chrome a headless browser to detect XSS vulnerability.We conduct Auditor can block scripts after HTML parsing but before an experiment using 3 extensively adopted open source execution by inserting an interface between the browser's vulnerable benchmarks and 2 actual websites to evaluate HTML parser and the JavaScript engine.Compared to the the ART method.The experimental results indicate that the previous method,auditor is faster and more accurate. ART method can effectively improve the fuzzing method by 68Omer Tripp et al. [15] proposed a learning approach to test XSS and realized it in XSS Analyzer. XSS Analyzer generates XSS attack vectors based on a context-free gram￾mar rule. It can learn the constraints in the grammar rules through invalid attack vectors, i.e., whose words cannot be included in the attack vector to bypass the defense mecha￾nism of the web application. Experimental results show that XSS Analyzer outperforms several competing algorithms, including a mature commercial algorithm featured in IBM Security AppScan Standard V8.5-by a far margin. But there are still shortcomings in XSS Analyzer. It applies learning to individual literals only. So it would consume a large quantity of HTTP requests and can’t capture complex input constraints involving multiple literals simultaneously. XSS Analyzer has recently been integrated into the latest version of AppScan (V8.6) instead of that algorithm. Bozic J et al. [7], [16] introduced a combined approach, which comprises the area of combinatorial testing with the emphasis on test case generation for XSS attacks and the attack pattern-based testing technique for test case execution against web applications. The generated strings were auto￾matically tested against three web applications with different combinatorial interaction strength with highly promising ini￾tial results. In the next work, they revised an input grammar for combinatorial generation of test inputs and made use of constraints for another test suite. The experimental results show that setting constraints inside the input model results in significantly improved attack vectors. Next, Simos et al. [17] use a modification of a combinatorial testing-based fault localization method to identify XSS-inducing combinations, which can help to better understand the root cause of an XSS vulnerability and provide insights about how to fix a flawed sanitization function. Combinatorial test generation method may be an alternative approach for web security testing. The approach can discover the vulnerability by traversing the combinatorial test cases, and we can also apply the ART method here to find the vulnerability more quickly. Tang Z et al. [10] proposed a Webmail XSS fuzzer called L-WMxD (Lexical based Webmail XSS Discoverer), which works on a lexical based mutation engine. L-WMxD is an active defense system to discover XSS vulnerability before the Webmail application is online for service. Unlike our method which uses payloads collected in advance to discover the vulnerability, they make different rules corresponding to different filtering strategies of Webmail server. The engine is initialized by normal JavaScript code called seed. Then, rules are applied to the sensitive strings in the seed which are picked out through a lexical parser. After that, the mutation engine issues multiple test cases. Newly-generated test cases are used for XSS test. Bates et al. [18] proposed a client-side XSS filter named Auditor, which is embedded by default in Google Chrome. Auditor can block scripts after HTML parsing but before execution by inserting an interface between the browser’s HTML parser and the JavaScript engine. Compared to the previous method, auditor is faster and more accurate. Guo et al. [19] proposed a method of XSS vulnerability detection using optimal attack vector repertory. This method develops an XSS attack vector grammar to generate XSS attack vectors automatically. It first generates basic XSS attack vector repertory with attack vector pattern repertory and resource repertory. Then it applies mutation rule to generate the final XSS attack vector repertory. Finally, it uses machine learning optimization to reduce the size of the attack vector library. Experimental results show that the approach makes a good performance in detecting XSS vulnerability in web applications. Goswami et al. [20] proposed a client-server based archi￾tecture to support XSS attack detection. An initial checking for the vulnerability is carried out at the client machine to decide whether to drop the request directly or send it to the proxy for further processing. The data collected at the proxy level undergoes steps such as preprocessing, feature extraction, feature selection, etc. to detect the attack using an unsupervised approach. This approach effectively balances the load between the client and the server. There are also many tools for testing XSS vulnerability. Since white-box testing tools (such as Jovanovic et al. [21]) require access to source code, more tools use the black-box testing method to test XSS vulnerability by constructing http requests. Xenotix [22] is a penetration testing tool developed exclu￾sively to detect and exploit XSS vulnerability with zero false positives. It uses live payload reflection-based XSS detection via powerful triple browser rendering engines, including Trident, WebKit, and Gecko. Xenotix apparently has a large XSS payload database, allowing effective XSS detection and WAF bypass. The defects of Xenotix are also obvious, which uses the browser instead of the requests library, so it will consume more memory and time. So it is necessary to study how to find XSS vulnerability with fewer attempts. VI. CONCLUSION AND FUTURE WORK Black-box testing is a common way to mitigate the threat of XSS vulnerability in web applications. Many black-box testing tools may collect a large number of payloads and traverse them to find a payload that can be successfully injected. But when there are many different URLs in the system or the vulnerability is deeply hidden, it is not very efficient. Previous research did not focus on how to improve the efficiency of black-box testing to detect XSS vulnerability. In this paper, we convert the attack payloads into word vectors and use the Jaccard coefficient to measure the dis￾tance between the two payloads. We observe the distribution of effective payloads, and develop a tool for detecting XSS vulnerability with the ART method. The tool collects 6128 payloads from some open source tools and websites and uses a headless browser to detect XSS vulnerability. We conduct an experiment using 3 extensively adopted open source vulnerable benchmarks and 2 actual websites to evaluate the ART method. The experimental results indicate that the ART method can effectively improve the fuzzing method by 68