In 2022, a researcher found a DOM XSS on a major banking portal's login page. The login page had a feature: if you had a session timeout and visited a restricted page, it would redirect you there after re-authenticating. It stored the destination URL in the hash fragment:

https://bank.com/login#returnTo=/dashboard

The JavaScript on the login page read that hash and rendered it:

const dest = location.hash.slice(1);
document.getElementById('redirect-hint').innerHTML =
  'You will be redirected to: ' + dest;

An attacker crafted this URL:

https://bank.com/login#<img src=x onerror="steal(document.cookie)">

The server's logs showed nothing suspicious — a normal GET request to /login. The hash fragment is never sent to the server. The bank's WAF never saw the payload. The vulnerability was invisible to every server-side defence.

That is DOM XSS. The vulnerability lives in JavaScript. The fix has to live in JavaScript too.