Developing the rules
The following line could be an exploitable XSS
element.innerHTML = "XSS here ->" + value + "";
While the following line doesn't need to be review.
element.innerHTML += "Static content";
The first example will trigger an alert while the second one is ignore because it is safe.
|Burp Pro plugin|
Try it yourself
The respective plugins are available to download at https://github.com/h3xstream/rhinauditor#downloads.
Note : The plugins are in an alpha stage.
Doing your own passive rules
With ZAP, the implementation of a PluginPassiveScanner is needed to analyse response content. [sample]
In Burp api, you need to implement IScannerCheck. [sample]