Zen, your in-app firewall for peace of mind – at runtime.
Zen is an embedded Web Application Firewall that autonomously protects your PHP apps against common and critical attacks.
Zen protects your PHP apps by preventing user input containing dangerous strings, thus protecting agains attacks like SQL injection. It runs on the same server as your PHP app for simple install and zero maintenance.
Zen will autonomously protect your PHP applications from the inside against:
- 🛡️ SQL injection attacks
- 🛡️ Command injection attacks
- 🛡️ Path traversal attacks
- 🛡️ Server-side request forgery (SSRF)
Zen operates autonomously on the same server as your PHP app to:
- ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
- ✅ Rate limit specific API endpoints by IP or by user
- ✅ Allow you to block specific users manually
Zen for PHP comes as a single package that needs to be installed on the system to be protected. Prerequisites:
- Ensure you have sudo privileges on your system.
- Check that you have a supported PHP version installed (PHP version >= 7.3 and test up to 8.3).
- Make sure to use the appropriate commands for your system or cloud provider.
rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.rpm
curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb
- In your repo, create a new file in
.ebextensions/01_aikido_php_firewall.config
with the following content:
commands:
aikido-php-firewall:
command: "rpm -Uvh --oldpackage https://github.com/AikidoSec/firewall-php/releases/download/v1.0.102/aikido-php-firewall.x86_64.rpm"
ignoreErrors: true
files:
"/opt/elasticbeanstalk/tasks/bundlelogs.d/aikido-php-firewall.conf" :
mode: "000755"
owner: root
group: root
content: |
/var/log/aikido-*/*.log
"/opt/elasticbeanstalk/tasks/taillogs.d/aikido-php-firewall.conf" :
mode: "000755"
owner: root
group: root
content: |
/var/log/aikido-*/*.log
- Go to
AWS EB enviroment -> Configuration -> Updates, monitoring, and logging -> Edit
and add the desired environment variables like: AIKIDO_TOKEN
- Go to
[server_name] -> [site_name] -> Enviroment
and add the desired environment variables like: AIKIDO_TOKEN - Go to "Recipes".
- Based on the running OS, use the Manual install commands to create a new recipe called "Install Aikido Firewall" and select "root" as user. Example for Debian-based systems:
cd /tmp
# Install commands from the "Manual install" section below, based on your OS
curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb
# Restarting the php services in order to load the Aikido PHP Firewall
for service in $(systemctl list-units | grep php | awk '{print $1}'); do
sudo systemctl restart $service
done
- Based on the running OS, use the Manual uninstall commands to create a new recipe called "Uninstall Aikido Firewall" and select "root" as user. Example for Debian-based systems:
# Install commands from the "Manual uninstall" section below, based on your OS
dpkg --purge aikido-php-firewall
# Restarting the php services in order to load the Aikido PHP Firewall
for service in $(systemctl list-units | grep php | awk '{print $1}'); do
sudo systemctl restart $service
done
- Run the created recipes to install / uninstall the Aikido PHP Firewall.
- Go to
[server_name] -> [site_name] -> Enviroment
and add the desired environment variables like: AIKIDO_TOKEN - Use ssh to connect to the Forge server that you want to be protected by Aikido and, based on the running OS, execute the install commands from the Manual install section.
- Go to
[server_name] -> [site_name] -> Restart
and clickRestart PHP <version>
.
- In your repo, run
fly launch
. - Add the desired environment variables, by running
fly secrets set AIKIDO_TOKEN=AIK_RUNTIME...
. - Go to
./.fly/scripts
folder and create theaikido.sh
file with the Manual install commands:
#!/usr/bin/env bash
cd /tmp
curl -L -O https://github.com/AikidoSec/firewall-php/releases/download/v1.0.99/aikido-php-firewall.x86_64.deb
dpkg -i -E ./aikido-php-firewall.x86_64.deb
- Run
fly deploy
.
Zen for PHP supports the following PHP versions: 7.3, 7.4, 8.0, 8.1, 8.2, 8.3.
Zen for PHP is Web-framework agnostic, meaning that it will work on any PHP Web framework that you want to use.
Zen for PHP can do this because the monitored functions are hooked at the PHP-core level.
- ✅
PDO
- ✅
MySQL
- ✅
Oracle
- ✅
PostgreSQL
- ✅
ODBC and DB2
- ✅
Firebird
- ✅
Microsoft SQL Server
- ✅
SQLite
- ✅
- 🚧
MySQLi
- 🚧
Oracle OCI8
- 🚧
PostgreSQL
- 🚧
SQLite3
- ✅
cURL
- Including wrappers, when configured to use cURL as adapter:
- ✅
file_get_contents
Aikido is your no nonsense application security platform. One central system that scans your source code & cloud, shows you what vulnerabilities matter, and how to fix them - fast. So you can get back to building.
Zen is a new product by Aikido. Built for developers to level up their security. While Aikido scans, get Zen for always-on protection.
You can use some of Zen’s features without Aikido, of course. Peace of mind is just a few lines of code away.
But you will get the most value by reporting your data to Aikido.
You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can sign up for free.
Here's how:
- Log in to your Aikido account.
- Go to Zen.
- Go to apps.
- Click on Add app.
- Choose a name for your app.
- Click Generate token.
- Copy the token.
- Set the token as an environment variable,
AIKIDO_TOKEN
By default, Zen will only detect and report attacks to Aikido.
To block requests, set the AIKIDO_BLOCK
environment variable to true
.
See Reporting to Aikido to learn how to send events to Aikido.
Zen for PHP benchmarks are splitted into 2 categories:
- Benchmarks for single PHP operations (function calls) that are monitored by Zen
- Benchmarks for round-trip requests to PHP apps protected by Zen
We do automated benchmarks on each new version and we store the result in the repo. If you need some specific benchmarks for (OS, PHP version) pairs, check the benchmarks folder.
The benchmarking times displayed in this readme are computed with PHP 8.1 on the latest Ubuntu version.
Benchmark | Avg. time w/o Zen | Avg. time w/ Zen | Delta |
---|---|---|---|
Shell Execution | 1.3139 | 1.3509 | 0.0370 ms |
Path Access | 0.0129 | 0.0160 | 0.0031 ms |
Outgoing Request | 0.1030 | 0.1321 | 0.0291 ms |
Sql Query | 0.0138 | 0.0169 | 0.0031 ms |
Benchmark | Avg. time w/o Zen | Avg. time w/ Zen | Delta |
---|---|---|---|
Request With Rate Limiting Enabled | 1.2310 | 1.6480 | 0.4170 ms |
Request With User Setting | 1.2230 | 1.4430 | 0.2200 ms |
Request Simple | 1.2370 | 1.3730 | 0.1360 ms |
rpm -e aikido-php-firewall
dpkg --purge aikido-php-firewall
Our bug bounty program is public and can be found by all registered Intigriti users at: https://app.intigriti.com/researcher/programs/aikido/aikidoruntime
See CONTRIBUTING.md for more information.
See CODE_OF_CONDUCT.md for more information.
See SECURITY.md for more information.