XSSDetect is a static code analysis tool that will attempt to detect Xss problems within a web application. (link)
I have not yet had a chance to use it, so I cannot speak to its abilities or thoroughness.
Don't forget about Microsoft's Anti Cross Site Scripting Library (link), that you can use in your web application, to help deal with inputs in a safe manner.
According to this post (link) over at Mark Curphey’s blog indicates that this i a 60 day trial, of a small subset of the new CAT.Net security scanner.