I enjoy performing penetration tests, I also enjoy teaching how to do penetration testing correctly. When I am teaching one of the points I make is to never consider the vulnerabilities in isolation, using them in combination truly demonstrates the risk and impact. I was performing a web application penetration test, and the list of things that it was vulnerable to was quite impressive!:
more here............https://isc.sans.edu/diary/Complete+application+ownage+via+Multi-POST+XSRF/18507
more here............https://isc.sans.edu/diary/Complete+application+ownage+via+Multi-POST+XSRF/18507