http://google-gruyere.appspot.com/
This brings you to the "Web Application Exploits and Defenses" page.
Scan this page, and at the bottom, click Continue.
This brings you to the "Web Application Exploits and Defenses (Part 1)" page.
Read the "Setup" section. Open your own instance of Gruyere in a second browser window.
At the bottom of this page, read the "Using Gruyere" section. Perform the tasks listed there.
At the bottom of the page, click Continue.
This brings you to the "Web Application Exploits and Defenses (Part 2)" page.
Save an image with the name "Project 2xa from YOUR NAME"
There is a warning that you may need to disable XSS Protection in your browser, but I was able to do all the exploits with normal Chrome. The disabling seems unnecessary.
Create a Reflected XSS that makes a box pop up with your name and the phrase "Reflected XSS" in it, as shown below:
Save an image with the name "Project 2xb from YOUR NAME"
Create a Stored XSS that makes a box pop up with your name and the phrase "Stored XSS" in it, as shown below:
Save an image with the name "Project 2xc from YOUR NAME"