Abstract: To guard against the WEB site's cross-site scripting (XSS) attacks, the characteristics and filtering mode of XSS vulnerabilities were analyzed. A technical scheme for XSS vulnerabilities discovery was presented. First, an anti-filter rules set was used to convert the XSS code and then an automatic crawler program was employed to inject the XSS code and test it's usability. Finally, the effective XSS code and the point of the injected code could be acquired. The presented method has been successfully used to discover the XSS vulnerabilities of web-email and web site.