With the help of following steps we will be performing manual text-based audits using the Burp Suite Repeater:

1. To use Burp Suite Repeater, a request needs to be sent to it from either an en-route capture via an intercept or from the proxy history. With either one of these, right-click on the request and then select Send to Repeater, as shown in the following screenshot:

2. In the example provided, a request is made of the user to provide a name, and the server returns the provided input in the HTML response. To test for the possibility of cross-site scripting, we should first inject a series of commonly used characters in such an attack, as shown in the following screenshot:

3. After sending in the series of characters, we can see that all of the characters were returned in the HTML content and none were escaped. This is a very strong indication that the function is vulnerable to cross-site scripting. To test the exploitability of this vulnerability, we can enter the standard token request of <script>alert('xss')</script>, as shown in the following screenshot:

4. By reviewing the returned HTML content, we can see that the opening script that is tagged has been stripped from the response. This is likely an indication of blacklisting that prohibits the use of the <script> tag in the input. The problem with blacklisting is that it can often be circumvented by slightly modifying the input. In this case, we can attempt to circumvent the blacklisting by modifying the case of several characters in the opening tag, as shown in the following screenshot:

5. By using the opening <ScRiPt> tag, we can see that the imposed restriction has been bypassed and both the opening and closing tags have been included in the response. This can be confirmed by issuing the request in a browser, as shown in the following screenshot:

6. To evaluate the response in the client browser, right-click on the request and then select Request in browser. This will generate a URL that can be used to reissue the request in a browser that is actively connected to Burp Proxy, as shown in the following screenshot:

7. We can copy the URL provided manually or by clicking on the Copy button. This URL can then be pasted into the browser, and the request will be issued in the browser. Assuming the cross-site scripting attack was successful, the client-side JavaScript code will be rendered in the browser, and an alert will appear on the screen, as shown in the following screenshot: