Whiteacid built a pretty remarkable XSS Greasemonkey assistant script. It’s got a few kinks left to work out as we’ve been discussing but on the whole this is feeling like a possible right approach to by-hand penetration testing for XSS vulnerability assessment. I still think something like this should be built into burp suite but Whiteacid’s approach is pretty slick.
After installation and going to Tools->Greasemonkey->User Script Commands->Start XSS Forms you see an icon that looks like this:
When clicked that button allows you to run all the commands that the XSS cheatsheet XML file has in them against all form elements. Interesting tool that helps diagnose some of the problems out there. It’s really no substitute to doing it the old fashioned way, but it’s a nice crutch when you’re in a hurry.