We present a black-box based smart fuzzing approach to detect cross-site scripting (XSS) vulnerabilities in web applications. The smartness is attributed to model inference and automated malicious input generation. The former is implemented as a state-aware crawler which models the application as an automaton. The second component, evolutionary fuzzing, uses genetic algorithm (GA). To limit its search space, we introduce an Attack Grammar that mimics attackers by generating malicious inputs. XSS are characterized by a relationship between tainted input and output of the web application. In black-box testing, precisely capturing this relationship is a non-trivial task that we solve using taint inference techniques. By doing so, we focus only on the transitions wherein this relationship holds and thereby avoid to fuzz the whole system. GA automates the process of generating inputs by considering the states of the application and evolving the inputs to trigger XSS, if any. Empirical evaluation shows that our fuzzer detects vulnerabilities missed by other blackbox scanners.