Aiming　at　the　XSS　vulnerability　detection,　this　paper　presents　a　dynamic　detection　method　based　on　simulating　browser　behavior,　and　designs　a　web　crawler　based　on　a　headless　browser,　which　can　interpret　the　JavaScript　code　and　retrieve　Ajax　content　to　find　the　hidden　injection　points　in　pages,　with　full　consideration　of　the　web　pages　containing　complex　scripts　under　Web　2.0　environment.　Besides,　this　paper　provides　a　more　accurate　method　to　identify　XSS　vulnerability　with　XSS　attack　vectors　by　examining　the　runtime　behavior　of　web　application,　and　decides　whether　the　XSS　vulnerability　exists　with　black-box　test.　The　experiment　results　prove　that　this　method　works.