Switch to Burp BApp Store and install two plugins—JSON Beautifier and JSON Web Tokens:
In the Firefox browser, go to your OneLogin page. The URL will be specific to the developer account you created. Log in to the account using the credentials you established when you set up the account before beginning this recipe:
Switch to the Burp Proxy | HTTP history tab. Find the POST request with the URL /access/auth. Right-click and click the Send to Repeater option.
Your host value will be specific to the OneLogin account you set up:
Switch to the Repeater tab and notice that you have two additional tabs relating to the two extensions you installed:
Click the JSON Beautifier tab to view the JSON structure in a more readable manner:
Click the JSON Web Tokens tab to reveal a debugger very similar to the one available at https://jwt.io. This plugin allows you to read the claims content and manipulate the encryption algorithm for various brute-force tests. For example, in the following screenshot, notice how you can change the algorithm to nOnE in order to attempt to create a new JWT token to place into the request:
