To　improve　the　detection　results　of　cross-site　scripting　(XSS)　vulnerability,　a　dynamic　attack　vector　generation　and　optimization　scheme　was　proposed　based　on　hidden　Markov　model.　The　mutated　attack　vector　was　generated　by　using　decision　tree　model　to　classify　the　attack　vectors　and　the　code　confusion　strategy　to　deform　the　attack　vector.　To　reduce　the　interactions　between　the　test　phase　and　the　web　server,　an　injection　point　de-duplication　and　probe　algorithm　are　designed　to　remove　web　pages　that　do　not　include　XSS　vulnerabilities　and　to　avoid　detecting　the　same　injection　point　in　different　web　pages.　XPath　path　location　technology　was　adopted　to　improve　the　analysis　efficiency　for　vulnerability　detection　results.　Experimental　results　show　that　the　proposed　method　can　reduce　the　response　time　and　the　miss　report,　and　improve　the　detection　efficiency.　©　2017,　Editorial　Department　of　Journal　of　HEU.　All　right　reserved.