Skip to content

Untrusted Input Execution

Prime #
1259
Origin domain
Information Security
Subdomain
access control and protocol design → Information Security
Also from
Computer Science & Software Engineering, Biology, Law & Governance
Aliases
Injection Vulnerability, Untrusted Content Executed as Control

Core Idea

Attacker-influenced input crosses a boundary from a data role into a control or authority role, and a correctly-operating intermediary executes it with the intermediary's own authority — so the attacker borrows the defender's privilege without the intermediary ever breaking its rules. The fault is not in the interpreter but at the boundary, where the data-vs-control separation was held by convention rather than by construction; effective authority becomes the union of the intermediary's standing and the attacker's intent.

How would you explain it like I'm…

The Fake Note Trick

Imagine you hand a babysitter a note that says 'Mom said give me ice cream.' The babysitter follows the note and gives you ice cream, even though Mom never said that. You couldn't get the ice cream yourself, but you tricked the helper into using *her* power to do it for you.

Hidden Orders In Data

Untrusted Input Execution happens when stuff that was supposed to be just 'words to read' gets treated as 'commands to obey,' and a system follows it using its own power. The system isn't broken; it's following its rules exactly. An attacker who couldn't act directly sneaks their command into the input, and because nobody made the words harmless first, the system runs them with its own authority. The fix isn't to make the system smarter about bad input. The fix is at the border: keep commands and plain data truly separate, neutralize the input before it arrives, or give the system less power so a sneaky command can't do much.

Data Crossing Into Control

Untrusted Input Execution is when attacker-controlled input crosses from a *data* role (inert content to be processed) into a *control or authority* role (directives, or the standing to act), and a correctly-operating middleman executes it with the middleman's *own* power. The system normally keeps data and control separate, but the separation was held by convention, not by a real barrier the input couldn't cross. The key, counterintuitive point: the middleman is *not* malfunctioning — it follows its rules exactly, and is only 'fooled' relative to the designer's hope that data would stay inert. So the fault lives at the *boundary*, not in the interpreter. The effective authority of the bad action becomes the *union* of the helper's standing and the attacker's intent, instead of the safe *intersection*.

 

Untrusted Input Execution is the structural pattern in which attacker-influenced input crosses a boundary from a data role into a control or authority role, and a correctly-operating intermediary executes it with the intermediary's own authority — so the attacker borrows the defender's privilege without the intermediary ever breaking its own rules. Four pieces are load-bearing. First, two roles: a data role carrying inert content, and a control/authority role carrying directives or standing. Second, a correctly-operating intermediary that reads the data and can be triggered to treat input as control, whose authority over the target is valid and undisputed. Third, a crossing point where attacker input enters the data role *un-inertised* — not escaped, encoded, sandboxed, or authenticated — so its control-triggering cues survive. Fourth, when the crossing fires, the intermediary acts with its own authority, making the effective authority the *union* of its standing and the attacker's intent rather than the safe *intersection*. The most consequential fact is that a correctly-functioning intermediary is *not* a defense: because the interpreter never breaks its rules and its identity is never in doubt, the failure is invisible to authentication-hardening and to 'make the parser smarter' — both target the wrong component. The durable fixes act at the boundary and the authority: separate the roles structurally, inertise at the crossing, or reduce the intermediary's reach. As a genus it unifies a whole family — code injection, the confused deputy, prompt injection, supply-chain poisoning, even a phage genome run by a host cell — as one object: un-inertised input crossing a data-to-control boundary, executed with the system's own authority.

Broad Use

  • Software security: SQL, command, and XSS injection; SSRF and CSRF, where user input reaches a parser that treats it as control.
  • Language-model agents: prompt injection — retrieved content crosses into the instruction channel and is executed with the agent's tool authority.
  • Molecular biology: viral integration and bacteriophage replication, where a host cell runs foreign DNA with its own ribosomes — the structure with no principal.
  • Animal behavior: brood parasitism and pheromone mimicry — crafted data crosses into a host's behavioral-control channel.
  • Social engineering: pretexting and authority-impersonation, where a human is the switchable interpreter who acts on the attacker's instruction.
  • Bureaucratic / legal: forged-authorization execution and apparent authority — a clerk wields the institution's standing for the forger.
  • Supply chains: a typosquatted package whose install script runs with the build's privilege.

Clarity

Separates did the intermediary malfunction or get misidentified? from did input cross a data-to-control boundary and execute with the intermediary's own authority? — relocating the diagnosis from "the system was tricked" to the boundary, and exposing separation by construction versus by convention.

Manages Complexity

Compresses a per-vulnerability arms race into one boundary-and-authority analysis with a three-move fix family: separate roles structurally, inertise the crossing, or reduce the intermediary's authority — never make the interpreter smarter.

Abstract Reasoning

Licenses portable moves: locate the boundary not the interpreter; trace intent provenance separately from actor identity; test construction versus convention; read authority as union or intersection; and strip the attacker to test for structural inevitability.

Knowledge Transfer

  • Across software: prepared statements, argument-array execution, and text-only DOM APIs are one structural-separation move in many costumes.
  • Into AI and finance: demoted content roles for an LLM, out-of-band confirmation on a wire transfer, and signed dependencies are the same fix.
  • The constant lesson: a correctly-functioning interpreter is not a defense, so the 1988 capability fix reappears as OAuth scopes, sealed roles, and signed authority chains.

Example

In SQL injection a user-supplied field ' OR '1'='1 reaches a query parser that — operating exactly per its grammar — executes it with the application's database authority; the structural fix is a prepared statement, which compiles the template with typed placeholders so no input content can be re-parsed as command, driving the breach probability to zero by construction.

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.UntrustedInput Executionsubsumption: Confused DeputyConfused Deputysubsumption: Control / Data Channel ConfusionControl / Data …subsumption: Data-Control Plane BreachData-ControlPlane Breach

Foundational — no parent edges in the catalog.

Children (3) — more specific cases that build on this

Not to Be Confused With

  • Untrusted Input Execution is not its child Confused Deputy because the deputy adds a principal triad and foregrounds the authority-misuse facet, whereas the parent commits to none of the triad — only the bare boundary-crossing skeleton all children share.
  • Untrusted Input Execution is not Access Control because access control is the permission gate deciding who may act, whereas this breach occurs while the gate answers correctly — the attack rides in on trusted input rather than breaking the check.
  • Untrusted Input Execution is not External Compromise because external compromise is a malfunction (stolen credential, interpreter bug), whereas this requires the intermediary to operate correctly and exploits only the structural fact that un-inertised input crosses into control.