Zen, in-app firewall for PHP | by Aikido

Zen, your in-app firewall for peace of mind – at runtime.

Zen is an embedded Web Application Firewall that autonomously protects your PHP apps against common and critical attacks.

Zen protects your PHP apps by preventing user input containing dangerous strings, thus protecting agains attacks like SQL injection. It runs on the same server as your PHP app for simple install and zero maintenance.

Features

Zen will autonomously protect your PHP applications from the inside against:

• 🛡️ SQL injection attacks
• 🛡️ Command injection attacks
• 🛡️ Path traversal attacks
• 🛡️ Server-side request forgery (SSRF)

Zen operates autonomously on the same server as your PHP app to:

• ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
• ✅ Rate limit specific API endpoints by IP or by user
• ✅ Allow you to block specific users manually

Install

Zen for PHP comes as a single package that needs to be installed on the system to be protected. Prerequisites:

• Ensure you have sudo privileges on your system.
• Check that you have a supported PHP version installed (PHP version >= 7.3 and test up to 8.3).
• Make sure to use the appropriate commands for your system or cloud provider.

Manual install

For Red Hat-based Systems (RHEL, CentOS, Fedora)

rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.rpm

For Debian-based Systems (Debian, Ubuntu)

curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb

Managed platforms

AWS Elastic beanstalk

1. In your repo, create a new file in .ebextensions/01_aikido_php_firewall.config with the following content:

commands:
  aikido-php-firewall:
    command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.rpm"
    ignoreErrors: true

files: 
  "/opt/elasticbeanstalk/tasks/bundlelogs.d/aikido-php-firewall.conf" :
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/aikido-*/*.log

  "/opt/elasticbeanstalk/tasks/taillogs.d/aikido-php-firewall.conf" :
    mode: "000755"
    owner: root
    group: root
    content: |
      /var/log/aikido-*/*.log

2. Go to AWS EB enviroment -> Configuration -> Updates, monitoring, and logging -> Edit and add the desired environment variables like: AIKIDO_TOKEN

Forge (recipe)

1. Go to [server_name] -> [site_name] -> Enviroment and add the desired environment variables like: AIKIDO_TOKEN
2. Go to "Recipes".
3. Based on the running OS, use the Manual install commands to create a new recipe called "Install Aikido Firewall" and select "root" as user. Example for Debian-based systems:

cd /tmp

# Install commands from the "Manual install" section below, based on your OS
curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb

# Restarting the php services in order to load the Aikido PHP Firewall
for service in $(systemctl list-units | grep php | awk '{print $1}'); do
    sudo systemctl restart $service
done

4. Based on the running OS, use the Manual uninstall commands to create a new recipe called "Uninstall Aikido Firewall" and select "root" as user. Example for Debian-based systems:

# Install commands from the "Manual uninstall" section below, based on your OS
dpkg --purge aikido-php-firewall

# Restarting the php services in order to load the Aikido PHP Firewall
for service in $(systemctl list-units | grep php | awk '{print $1}'); do
    sudo systemctl restart $service
done

5. Run the created recipes to install / uninstall the Aikido PHP Firewall.

Forge (ssh)

1. Go to [server_name] -> [site_name] -> Enviroment and add the desired environment variables like: AIKIDO_TOKEN
2. Use ssh to connect to the Forge server that you want to be protected by Aikido and, based on the running OS, execute the install commands from the Manual install section.
3. Go to [server_name] -> [site_name] -> Restart and click Restart PHP <version>.

Fly.io (flyctl)

1. In your repo, run fly launch.
2. Add the desired environment variables, by running fly secrets set AIKIDO_TOKEN=AIK_RUNTIME....
3. Go to ./.fly/scripts folder and create the aikido.sh file with the Manual install commands:

#!/usr/bin/env bash
cd /tmp
curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb

4. Run fly deploy.

Supported libraries and frameworks

PHP versions

Zen for PHP supports the following PHP versions: 7.3, 7.4, 8.0, 8.1, 8.2, 8.3.

Web frameworks

Zen for PHP is Web-framework agnostic, meaning that it will work on any PHP Web framework that you want to use.

Zen for PHP can do this because the monitored functions are hooked at the PHP-core level.

Database drivers

• ✅ PDO
  • ✅ MySQL
  • ✅ Oracle
  • ✅ PostgreSQL
  • ✅ ODBC and DB2
  • ✅ Firebird
  • ✅ Microsoft SQL Server
  • ✅ SQLite
• 🚧 MySQLi
• 🚧 Oracle OCI8
• 🚧 PostgreSQL
• 🚧 SQLite3

Outgoing requests libraries

• ✅ cURL
  • Including wrappers, when configured to use cURL as adapter:
    • ✅ GuzzleHttp
    • ✅ HTTP_Request2
    • ✅ Symfony\HTTPClient
• ✅ file_get_contents

Reporting to your Aikido Security dashboard

Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.

Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.

You can use some of Zen’s features without Aikido, of course. Peace of mind is just a few lines of code away.

But you will get the most value by reporting your data to Aikido.

You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.

Here's how:

• Log in to your Aikido account.
• Go to Zen.
• Go to apps.
• Click on Add app.
• Choose a name for your app.
• Click Generate token.
• Copy the token.
• Set the token as an environment variable, AIKIDO_TOKEN

Running in production (blocking) mode

By default, Zen will only detect and report attacks to Aikido.

To block requests, set the AIKIDO_BLOCK environment variable to true.

See Reporting to Aikido to learn how to send events to Aikido.

Benchmarks

Zen for PHP benchmarks are splitted into 2 categories:

• Benchmarks for single PHP operations (function calls) that are monitored by Zen
• Benchmarks for round-trip requests to PHP apps protected by Zen

We do automated benchmarks on each new version and we store the result in the repo. If you need some specific benchmarks for (OS, PHP version) pairs, check the benchmarks folder.

The benchmarking times displayed in this readme are computed with PHP 8.1 on the latest Ubuntu version.

Benchmarks for PHP operations

Benchmark	Avg. time w/o Zen	Avg. time w/ Zen	Delta
Shell Execution	1.3139	1.3509	0.0370 ms
Path Access	0.0129	0.0160	0.0031 ms
Outgoing Request	0.1030	0.1321	0.0291 ms
Sql Query	0.0138	0.0169	0.0031 ms

Benchmarks for PHP requests

Benchmark	Avg. time w/o Zen	Avg. time w/ Zen	Delta
Request With Rate Limiting Enabled	1.2310	1.6480	0.4170 ms
Request With User Setting	1.2230	1.4430	0.2200 ms
Request Simple	1.2370	1.3730	0.1360 ms

Uninstall

Manual uninstall

For Red Hat-based Systems (RHEL, CentOS, Fedora)

rpm -e aikido-php-firewall

For Debian-based Systems (Debian, Ubuntu)

dpkg --purge aikido-php-firewall

Bug bounty program

Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime

Contributing

See CONTRIBUTING.md for more information.

Code of Conduct

See CODE_OF_CONDUCT.md for more information.

Security

See SECURITY.md for more information.