Cross-site scripting (XSS) attack has been one of the most dangerous attacks in cyberspace security. Traditional methods essentially discover XSS attack by detecting malicious payloads in requests, which is unable to distinguish blind&random scanning with the attacking reality. Moreover, it also brings tens of thousands of worthless security alerts to administrators, as well as unfriendly experience to users. In this paper, we propose DoubleR, a bi-directional framework which detects both Requests and Responses to discover XSS attacking reality. On the basis of conventional detection of malicious requests, DoubleR collects responses from web server and trains a bagging based PU learning model to determine whether the vulnerability is truly triggered. To validate our proposed framework, experiments are performed on 5 popular Web applications with 11 specified CVE recorded vulnerabilities. Results show that DoubleR effectively distinguishes attacking reality from attacking attempts, reduce the worthless security alarms, and at the same time works well on other web attacks of the same type.