Welcome! In this lesson, we’ll take a more technical look at how shell injection happens, how to identify the vulnerability, and how we can deal with them.

Theoretically, shell injection can happen any time an unsanitized user’s input is used to invoke a shell command. Usually, this is in the context of the user’s input from a website executing a shell command on the backend server, but it doesn’t always have to be that way.

Shell injection also isn’t limited to any specific programming language. Most languages have some way of invoking a system’s shell. Linux and Unix were, and still are, structured with the idea that programs should invoke other programs through the system’s shell as part of normal operation. It isn’t innately bad for a program to use shell commands, but we must be careful, and there are usually safer ways to accomplish the same goal.