One sentence that explains every injection bug
Injection happens whenever user data crosses from a data context into a code context without escaping. That single sentence is the entire OWASP injection category. SQL, NoSQL, command, LDAP, template, XPath, HTML — they all share this root cause; they only differ in which parser eats the malicious input.
The universal hunt loop
Identify the sink — the parser that will receive your input. Pick a canary that is harmless in a data context but special in a code context. Send the canary and look for parser confusion in the response — errors, layout shifts, time delays, or any difference from a normal request. Promote the canary into a real payload once you know which sink fired.
The canary list is short and worth memorising: a single quote and a double quote for SQL and shell, a semicolon for command separators, the dollar-brace pair for shell and template engines, an angle bracket for HTML, and a backslash for almost any parser. One of those characters fires almost every injection bug ever shipped.
Why this lesson matters
You will reuse this mental model in every section that follows — SQLi, command injection, XSS, server-side template injection. They are all the same bug under the hood. Internalise the loop now and the rest of the course collapses into pattern-matching on which parser to target. The payloads are easy. The mental model is the actual skill.
