With the rapid growth of e-commerce, various types of complex applications appear in web environments. web-based system testing is different from traditional software testing. The unpredictability of Internet and web systems makes it difficult to test web-based system. This paper presents an engine for Fuzzing test data towards web control vulnerabilities, and introduces "heuristic rules" and "tagged words" to generate the test data. This method can increase the intelligence of security testing and build the foundation of web vulnerability detection model.