Attack the live stack
Every other page here shows the happy path. This one fires four real attack attempts at the running stack — a forged token, a tier-escalation attempt, a request with no credentials at all, and a replay of a revoked session — and shows exactly which component caught each one: the gateway's signature check, OPA's policy, or the BFF's session store.
Every demo so far shows the happy path. This one fires the requests an attacker would actually try — against the real, running stack — and shows exactly which layer rejects each one. Nothing here is simulated: these are live HTTP calls to APISIX, OPA, and session-service.
The tier-escalation attempt needs a real basic.user token first (the other three work standalone).
Forged / tampered JWT
A JWT-shaped string claiming admin tier, never signed by Keycloak.
Tier escalation
Real basic.user token requesting an admin-only route.
Missing credentials
A protected route hit with no Authorization header at all.
Replay after logout (BFF)
Use a session_id again right after logging out with it.
Results
No attempts yet — pick one above.