How It WorksWhy HoundIn ActionReportsPricingAboutFAQ

Audit-Ready Reports

We give your team the proof, coverage, and retest evidence needed for security reviews.

Executive Report

A business view of the key findings, their impact, and the recommended actions.

For
Leadership and Reviewers
Answers
  • What matters most?
  • What is the business impact?
  • What actions are recommended?
Executive Report

Assessment Date: 2026-05-14

Executive Summary

We tested Switchboard, a customer operations app for support tickets, attachments, billing, account login, and support assistant workflows. The assessment covered the public web app, API routes, file access, authentication behavior, webhook handling, and browser security controls. We found three confirmed issues and one conditional weakness that depends on browser cookie behavior.

Fix Now

1. Ticket attachments can be downloaded without login.

File download URLs returned customer uploads even when no session cookie was present.

2. The billing webhook crashes before signature checks.

Malformed unsigned payloads returned stack traces instead of being rejected cleanly.

3. Debug routes are live in production.

Public routes exposed source paths, hidden endpoints, and support assistant instructions.

Fix If

Ticket changes rely on browser-only CSRF protection.

Direct PATCH requests changed ticket metadata without a CSRF token, but browser SameSite behavior blocked the cross-site path.

Business Impact

  • Customer data risk: support files are reachable without the expected access checks.
  • Operational risk: debug output gives attackers a route map for follow-up testing.
  • Change-risk: ticket changes depend on browser cookie behavior instead of a server-side CSRF check.

Recommended Actions

ActionTier
Gate file downloads behind ticket access checksFix Now
Remove debug routes from productionFix Now
Return generic errors on malformed webhooksFix Now
Add server-side CSRF checks to ticket changesFix If

Summary Statistics

  • Fix Now: 3 findings
  • Fix If: 1 finding
  • Strengthen: 3 recommendations

This is a mock report intended only to show report format and sections.