More than 10 years ago the industry became aware of smashing-the-stack buffer overflows. Many exploits later, these issues became harder to come by in popular software. The industry then moved onto heap overflows in pursuit of greener pastures. Once the grass was eaten up, the next evolutionary step occurred, integer overflows came to be identified more often. My prediction for the next 3-5 years is DOM-Based Cross-Site Scripting (XSS), credited to Amit Klein, vulnerabilities will follow a similar path.
Today the vast majority of XSS vulnerabilities fall into the persistent (HTML Injection) or non-persistent (link click) variety. I expect most of these issues to be cleaned up on major websites. If fact I see this trend already as people become aware of the dangers. From there it’s reasonable to assume DOM-based XSS will grow in interest, where currently it lays in wait. For how long is the question.
As far as the next type of XSS, its has yet to be identified. ;)