From Amit Klein, the definitions of 3 types of XSS follows (OWASP 2017):
Reflected Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all of the input provided by the user as part of the request without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user provided data may never even leave the browser (see DOM Based XSS next).
Stored Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.
DOM-based DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write).”
A photo of Luke's diagram of the differences between reflected, stored and DOM based.
This example is using a DOM-based XSS injection by inserting a gif format into a ‘send-payment’ feature on a cryptocurrency website.
WebAppSec 2005, ‘DOM Based Cross Site Scripting or XSS of the Third Kind, Amit Klein, viewed 17 February 2019, http://www.webappsec.org/projects/articles/071105.shtml