This　paper　presents　a　dynamic　detection　method　based　on　simulating　browser　behavior,　and　designs　a　web　crawler　based　on　a　headless　browser,　which　can　interpret　the　JavaScript　code　and　retrieve　Ajax　content　to　find　the　hidden　injection　points　in　pages,　with　full　consideration　of　the　web　pages　containing　complex　scripts　under　Web　2.0　environment.　In　implementation,　this　paper　uses　dynamic　analysis　in　XSS　vulnerability　detection　by　examining　the　runtime　behavior　of　web　application,　and　decide　whether　the　XSS　vulnerability　exists　with　black-box　test.　The　experiment　results　prove　that　this　method　works.　©　2015　IEEE.