ABSTRACT. The article presents research results and vulnerability testing algorithms for one of the most common types of attacks on Web-based applications - cross-site scripting - CSS (Cross Site Scripting) - DOM CSS. Cross-site scripting is the error of validating user data, which allows you to pass JavaScript code to execution in the user's browser. Attacks of this kind are often called HTML injections, because the implementation mechanism is very similar to SQL injections, but unlike the latter, the implemented code is executed in the user's browser. The approach of mathematical modeling based on GERT-networks is argued. Studies have shown that GERT (Graphical Evaluation and Review Technique) is a method of studying and analyzing stochastic networks used to describe the logical relationship between parts of a project or process steps. The main goal of GERT is to evaluate the logic of the network and the duration of activity and to receive an opinion on the need to perform certain activities. The technology of testing Web-applications and the corresponding complex of mathematical models are developed. The basis of mathematical modeling is the approach of GERT-network synthesis. As a result, mathematical models of DOM CSS testing technology have been developed. The mathematical model of the DOM CSS testing technology vulnerability differs from the known, taking into account the execution or analysis of the DOM structure. The developed method can be used when testing for the vulnerability of a Web application.