Efficient way for finding XSS vulnerabilities?
DOMinator Pro is a great semi-automated tool for identifying DOM XSS.
What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DomXss). It is the first runtime tool which can help security testers to identify DomXss.How it works?
It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DomXss vulnerability is actually exploitable.
In terms of finding a wider range of XSS issues that, from what I've seen, is really scanner dependent (excellent starting point for that here) and none of them will be perfect (i.e. there will always be cases in black-box scanning where a manual tester will find an issue that scanners will miss). Some have a wider range of vectors and techniques than others.
If you're looking to widen out the coverage of automated tools, you could add in grey/white box tools as they can find issues that are harder to locate with a black-box approach. As an example Brakeman for Ruby on Rails applications has detection for XSS issues.
Also other specialist tools as @Tate Hansen mentions above Dominator for DOMXSS issues.
Essentially as with most things in security there is no silver bullet. You can improve automated coverage by combining multiple tools and approaches, although there will be some areas that are still best discovered manually.
If you are testing your own app or you are testing an app for which you have the source code, the best way to go about it is a combination of Manual + automated. Try to use a static analysis tool on the source code. It should find you some XSS vulnerabilities (if any). But be aware that there might be several false positives, depending on the tool that you use.
Next, manual testing - Probably the most efficient ( if you know what you're doing). XSS isn't simply about <script>alert('hi')</script>
injection into a text box to see if it gets reflected ( or stored). There are a gazillion vectors that you need to check. Use an XSS cheatsheet New XSS cheatsheet? for this purpose. There will be a lot of failed attempts, but injecting something, checking the return HTML page, and repeating this process after changing the vector, will yield results.