Third-Party Services
Introduction
Third-party services are external platforms, software, or infrastructure provided by other organizations that are integrated into an application's ecosystem. Modern organizations rarely build every component themselves. Instead, they rely on specialized providers for services such as content delivery, cloud hosting, payment processing, authentication, analytics, customer support, email delivery, and monitoring.
During the Reconnaissance phase of an authorized ethical hacking or penetration testing engagement, identifying third-party services helps security professionals understand the complete technology ecosystem of the target organization. These integrations expand the application's architecture and, when they fall within the agreed scope, should be included in the asset inventory and security assessment planning.
Why Third-Party Services Are Important
Most modern applications depend on multiple external services. Understanding these dependencies helps ethical hackers:
- Build a complete technology inventory.
- Understand application architecture.
- Identify trusted external providers.
- Discover cloud infrastructure.
- Identify authentication providers.
- Locate API integrations.
- Understand application workflows.
- Expand the authorized attack surface inventory.
Common Categories of Third-Party Services
1. Cloud Service Providers
Many organizations host applications on cloud platforms.
Examples include:
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Platform (GCP)
- Oracle Cloud Infrastructure (OCI)
Services commonly used
- Virtual Machines
- Object Storage
- Managed Databases
- Serverless Functions
- Load Balancers
- Kubernetes Services
Example
Customer
↓
CloudFront CDN
↓
AWS Load Balancer
↓
EC2 Application Server
↓
Amazon RDS
2. Content Delivery Networks (CDNs)
CDNs improve performance and availability by caching content closer to users.
Examples include:
- Cloudflare
- Amazon CloudFront
- Akamai
- Fastly
Example
User
↓
Cloudflare
↓
Origin Server
3. Identity and Authentication Providers
Organizations often rely on external identity providers for authentication and Single Sign-On (SSO).
Examples:
- Okta
- Microsoft Entra ID (formerly Azure Active Directory)
- Auth0
- Ping Identity
Example
User
↓
Login Page
↓
Okta
↓
Application
These services manage user authentication while the application focuses on authorization and business logic.
4. Payment Gateways
E-commerce and financial applications commonly integrate payment providers.
Examples include:
- Stripe
- PayPal
- Adyen
- Razorpay
Example
Shopping Cart
↓
Payment Gateway
↓
Bank
These integrations are typically subject to strict scope definitions and should only be assessed if explicitly authorized.
5. Email Services
Applications often use third-party providers to send transactional or marketing emails.
Examples:
- SendGrid
- Amazon Simple Email Service (SES)
- Mailgun
- Postmark
Typical Uses
- Password reset emails
- Account verification
- Notifications
- Marketing campaigns
6. DNS Providers
Organizations may use external DNS hosting services.
Examples:
- Cloudflare DNS
- Amazon Route 53
- Google Cloud DNS
- NS1
DNS providers manage domain resolution and routing.
7. Monitoring and Logging Platforms
Applications use monitoring services to observe system health and performance.
Examples:
- Datadog
- New Relic
- Grafana Cloud
- Splunk
Typical capabilities include:
- Performance monitoring
- Error tracking
- Log aggregation
- Infrastructure monitoring
8. Analytics Platforms
Organizations collect website and application usage statistics through analytics services.
Examples:
- Google Analytics
- Adobe Analytics
- Mixpanel
- Amplitude
These services help organizations understand user behavior.
9. Customer Support Platforms
Customer support systems are often integrated into websites.
Examples:
- Zendesk
- Intercom
- Freshdesk
- Salesforce Service Cloud
Typical features:
- Live chat
- Ticket management
- Knowledge bases
- Customer communication
10. Source Code Hosting
Development teams frequently use external platforms for version control.
Examples:
- GitHub
- GitLab
- Bitbucket
These services may host:
- Public repositories
- Documentation
- SDKs
- Sample applications
11. CI/CD Platforms
Continuous Integration and Continuous Deployment services automate software delivery.
Examples:
- GitHub Actions
- GitLab CI/CD
- Jenkins
- Azure DevOps
These services support building, testing, and deploying applications.
12. Object Storage Services
Applications commonly store files using cloud storage.
Examples:
- Amazon S3
- Azure Blob Storage
- Google Cloud Storage
Typical stored content includes:
- Images
- Documents
- Backups
- Static website assets
13. Maps and Location Services
Applications that require geographic functionality often integrate mapping services.
Examples:
- Google Maps Platform
- Mapbox
- HERE Technologies
14. CAPTCHA Services
CAPTCHA solutions help reduce automated abuse.
Examples:
- Google reCAPTCHA
- Cloudflare Turnstile
- hCaptcha
These services protect login forms, registration pages, and other public-facing forms.
How Third-Party Services Can Be Identified
During reconnaissance, publicly available information may reveal third-party integrations through:
- HTTP response headers
- JavaScript files
- HTML source code
- DNS records
- TLS certificates
- Public documentation
- Privacy policies
- Cookie policies
- Developer documentation
- Mobile application resources
Example Architecture
User
↓
Cloudflare CDN
↓
Nginx
↓
Web Application
↓
OAuth (Okta)
↓
REST API
↓
Amazon RDS
↓
SendGrid
↓
Stripe
This architecture demonstrates how multiple third-party services work together to deliver application functionality.
Example Technology Inventory
| Service Category | Example |
|---|---|
| Cloud Provider | Amazon Web Services (AWS) |
| CDN | Cloudflare |
| Authentication | Okta |
| Payment | Stripe |
| SendGrid | |
| Monitoring | Datadog |
| Analytics | Google Analytics |
| Storage | Amazon S3 |
| DNS | Route 53 |
| Source Control | GitHub |
Benefits During Reconnaissance
Identifying third-party services helps ethical hackers:
- Build a comprehensive technology inventory.
- Understand application dependencies.
- Identify cloud infrastructure.
- Map authentication and authorization flows.
- Document external integrations.
- Improve assessment planning.
- Prioritize testing of in-scope assets.
Ethical and Legal Considerations
Third-party services are not automatically in scope simply because they are integrated into an application.
Ethical hackers should:
- Verify that each third-party service is included in the Rules of Engagement (RoE) or scope document before testing.
- Avoid testing infrastructure owned by third parties unless explicit authorization has been granted.
- Respect the terms of the engagement and any applicable service-provider policies.
- Document third-party dependencies as part of the technology inventory, even if they are out of scope.
Summary
Third-party services are an essential part of modern application ecosystems, providing capabilities such as cloud hosting, authentication, payment processing, content delivery, monitoring, analytics, email delivery, and customer support. During the reconnaissance phase, identifying these services enables ethical hackers to develop a comprehensive understanding of the target environment, document external dependencies, and build an accurate attack surface inventory. All assessment activities involving third-party services must remain within the explicitly authorized scope of the engagement.