Something I found really interesting was that a lot of the techniques resembled modern code injection, where user input was being mistakenly interpreted as a control signal from the system itself, kind of like forgetting to escape your SQL statements.