Redirection is when the attacker forwards the user to a trap website. This happens by sending an unsuspicious link in an email to the users, injecting the link by XSS in the application, or putting the link into an external application. The link starts with the URL to the application, it is hidden in the redirect parameter. To stop this you can include only the expected parameters in the legacy action. Another way is to be redirected to the URL with the malicious code in it. To stop this you cannot allow the user to supply parts of the URL. File uploads allow the user to upload files named however they want. A hacker could use a malicious file name to overwrite any file on the server. Make sure file uploads do not overwrite important files and process media files