Fuzzing (aka Fuzz-Testing) consists in testing a system by sending boundary values and observing if a property is violated. Traditional undirected fuzzing techniques lack knowledge of the behavior of the tested system. This limits their ability to generate inputs, and to achieve high coverage. We propose a combination of model inference and evolutionary fuzzing. The former reverse-engineers an application behavior, and the latter evolves malicious inputs for detecting vulnerabilities. We specifically targets Cross Site Scripting (XSS), a particular case of command injection in web applications.