Document Generation Security Assessment - A DocOrigin Case Study

Abstract

Enterprise document generation systems are widely used in modern organizations toautomatically generate large volumes of business-critical documents such as invoices,payslips, and official communications. These systems process sensitive data and areoften deeply integrated into enterprise backend environments, making their securitya critical concern. Despite their importance, document production platformsare frequently treated as supporting systems, and their architecture-level securityaspects may receive limited attention. This thesis evaluates the security of a real-world ERP-to-DocOrigin document productionpipeline using two industry-recognized standards: OWASP Application SecurityVerification Standard (ASVS) v5.0.0 and the AS&D Security Technical ImplementationGuide (STIG) Version 6, Release 4.The evaluation combines a systematic literature review of document pipeline securityrisks with a practical case study based on a production environment running theDocOrigin document generation platform. The application was evaluated againstthe OWASP ASVS at the application level and against AS&D STIG at the environmentlevel.The results show that DocOrigin operates as a component-style engine that delegatessecurity entirely to its surrounding environment, a pattern termed the dumb enginehypothesis in this study. Proven vulnerabilities include input validation failures, asuccessful Billion Laughs denial-of-service attack, plain-text credential storage, anda total absence of drive encryption in the reference environment. Nineteen out oftwenty-three high severity STIG findings were confirmed as active. The findings areapplicable to organizations deploying similar document generation systems, particularlyin regulated or defense-sector contexts.