feat(waf): data-driven WAF engine, charset/header probes, README update

- Replace ad-hoc waf.py with orchestrator + signature loader + bypass engine
- Add PROBE-CHARSET-01 (IBM037 body) and PROBE-HEADER-01 (X-Forwarded-For)
- Provider YAMLs and bypass chains for 10 WAFs; scanner uses get_bypass_payloads
- Update README WAF section and What's New

Author: fevra-dev

.github/workflows/security-scan.yml

@@ -0,0 +1,30 @@
+name: Security Scan
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 0'
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+    - name: Install Stiletto
+      run: pip install -r requirements.txt
+    - name: Run Stiletto
+      env:
+        TARGET_URL: ${{ secrets.TARGET_URL }}
+      run: |
+        python stiletto.py -u "$TARGET_URL" --output json -o stiletto_results.json || true
+    - name: Upload results
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: stiletto-results
+        path: stiletto_results.json

README.md

@@ -29,6 +29,7 @@ Built for learning, authorized penetration testing, and security research.
 - **CVE Sync**: Automatically sync SQL injection CVEs from [Trickest's 23K+ CVE repository](https://github.com/trickest/cve)
 - **PoC Fetcher**: Extracts real payloads from GitHub exploit repositories
 - **Dynamic Payloads**: Scanner uses 115+ payloads extracted from real-world CVEs (2023-2025)
+- **Data-driven WAF engine**: Provider definitions in YAML (`waf_signatures/providers/`), passive header + active probe fingerprinting, charset (IBM037) and header-injection probes, provider-specific bypass chains
 - **Latest Techniques**: Stay current with latest SQLi bypasses, WAF evasions, and PoCs
 - **Threat Intelligence**: 500+ SQLi CVEs catalogued with PoC references
 - **Enhancements**: Second-order SQLi, HPP, GraphQL SQLi, OOB, exploit chains, compliance (PCI-DSS/ASVS/GDPR), remediation verification, genetic fuzzer, cloud-specific tests, CISA KEV/ExploitDB enrichment, and CI/CD config generator
@@ -113,10 +114,13 @@ python stiletto.py -u "http://example.com/page?id=1" --second-order --hpp --grap
 | **JSON-Based** | WAF bypass via JSON syntax | MySQL, PostgreSQL, MongoDB |
 | **Stacked Queries** | Multiple statement execution | MSSQL, PostgreSQL |
 
-### 🛡️ WAF Detection & Bypass
-- **30+ WAF Signatures**: Cloudflare, AWS WAF, Akamai, Imperva, F5, ModSecurity, and more
-- **20+ Tamper Techniques**: Automatic payload obfuscation to bypass filters
-- **Adaptive Bypass**: Selects optimal techniques based on detected WAF
+### 🛡️ WAF Detection & Bypass (Data-Driven Engine)
+- **Provider YAML definitions**: 10 major WAFs (Cloudflare, AWS WAF, Azure, Akamai, F5, Imperva, ModSecurity/CRS, Google Cloud Armor, Fortinet, Palo Alto) with signatures and blind spots in `src/waf_signatures/providers/*.yaml`
+- **Passive + active fingerprinting**: Header-based detection first; if inconclusive, a probe suite sends targeted SQLi payloads and scores providers by which probes get blocked
+- **Probe suite**: Standard GET/POST parameter probes, plus **charset probe** (IBM037-encoded body with `Content-Type: charset=ibm037`) and **header-injection probe** (payload in `X-Forwarded-For`) to detect WAFs that don’t inspect those vectors
+- **Provider-specific bypass chains**: Each provider has an ordered list of strategies (encoding, comment, charset, JSON syntax, size overflow, header abuse, etc.); the engine applies the chain to generate obfuscated payload variants
+- **20+ transform techniques**: `randomcase`, `space2comment`, `mysql_version_comment`, `double_urlencode`, `encode_ibm037`, `prepend_json_operator`, `pad_to_8kb`, `move_to_header`, and more
+- **Backward compatibility**: Scanner still uses `WAFDetector.detect()` and `get_bypass_payloads()`; legacy `WAFType` / `WAFDetectionResult` / `TamperEngine` remain for compatibility
 
 ### 🤖 AI-Powered Features
 - **GPT-4 Payload Generation**: Context-aware payloads that adapt to WAF blocks

requirements.txt

@@ -8,6 +8,9 @@
 # Async HTTP client
 aiohttp>=3.9.0
 
+# WAF signature definitions (YAML)
+PyYAML>=6.0
+
 # Standard HTTP requests (fallback)
 requests>=2.31.0