Skip to main content

Fastly API Token

A Fastly API Token is a credential used to authenticate requests to the Fastly API, which provides services for content delivery, security, and edge computing. This token allows users to interact programmatically with Fastly's platform, enabling operations such as purging cache, configuring services, and managing domains. Exposure of this token is a significant security concern as it can grant unauthorized access to sensitive operations and data within the Fastly environment.

How Does It Look

Fastly API Tokens can appear in various contexts, such as:

  • Environment variables:

    export FASTLY_API_TOKEN="f1a2s3t4l5y6t7o8k9e0n"

  • Configuration files (JSON):

    {
      "fastly": {
        "api_token": "f1a2s3t4l5y6t7o8k9e0n"
      }
    }

  • Code snippets:

    headers = {
        "Fastly-Key": "f1a2s3t4l5y6t7o8k9e0n"
    }

  • Connection strings:

    fastly://api.fastly.com?token=f1a2s3t4l5y6t7o8k9e0n

Severity

  • 🔴 Critical

The severity of a Fastly API Token exposure is critical because it can provide full access to the Fastly account, allowing an attacker to manipulate content delivery settings, access sensitive data, and potentially disrupt services. The blast radius includes all services and configurations managed through the Fastly API.

What Can an Attacker Do?

With immediate access to a Fastly API Token, an attacker can perform a range of malicious activities:

An attacker can immediately:

  • Purge or modify cache (if the token has cache management permissions)
  • Alter service configurations (if the token allows configuration changes)
  • Access sensitive logs and analytics (if logging is enabled and accessible)
  • Manage domains and certificates (if domain management permissions are granted)

Additionally, an attacker could escalate their access or move laterally by:

  • Compromising other connected systems or services through misconfigured integrations
  • Using the token to gather intelligence for further attacks on the infrastructure

Real-World Impact

The exposure of a Fastly API Token poses significant business risks:

The primary impact includes unauthorized control over content delivery and service configurations.

Potential consequences include:

  • Data Exposure: Access to sensitive logs and analytics (if the token has read access to logs)
  • Financial Loss: Increased costs due to unauthorized resource usage (if the attacker manipulates service settings)
  • Operational Disruption: Service outages or degraded performance (if the attacker modifies critical configurations)
  • Reputational Damage: Loss of customer trust due to service disruptions or data breaches

In the worst-case scenario, an attacker could cause widespread service outages, leading to significant financial and reputational damage.

Prerequisites for Exploitation

To exploit a Fastly API Token, an attacker needs:

  • Network access: Ability to send requests to the Fastly API
  • Additional context: Knowledge of the specific Fastly services and configurations
  • No rate limits: If rate limits are not enforced, the attacker can perform extensive operations

How to Verify If It's Active

To verify if a Fastly API Token is active, use the following command:

curl -H "Fastly-Key: [TOKEN]" https://api.fastly.com/service

Valid credential response: A list of services associated with the account, indicating the token is active.

Invalid/expired credential response: An error message indicating unauthorized access or invalid token.

Detection Patterns

Common Variable Names:

  • FASTLY_API_TOKEN
  • FASTLY_KEY
  • API_TOKEN
  • FASTLY_SECRET
  • FASTLY_AUTH
  • FASTLY_ACCESS_TOKEN

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.txt
  • fastly_config.py

Regex Pattern:

(?i)fastly[-_]?(api[-_]?)?token['"]?\s*[:=]\s*['"]?[a-z0-9]{20,40}['"]?

Remediation Steps

  1. Revoke immediately - Go to Fastly's web interface, navigate to Account > API Tokens, and delete the compromised token.
  2. Audit access logs - Review Fastly API logs for unauthorized requests or changes during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed token.
  4. Rotate credential - Generate a new API token in Fastly with least-privilege permissions.
  5. Update dependent systems - Deploy the new token to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Fastly and require two-factor authentication for account access.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References