In Django versions before 4.2.7, 4.1.13, and 3.2.23, I sent a POST request to the admin login page using Burp Suite, editing the request to send over 1 million invalid unicode characters to my local web server running Django. (I used: “¾”)
After submitting, a single request took 4.4 seconds on average.
When I sent 20 concurrent requests, then I got 60 second wait times, and 504 gateway timeout errors on my machine.
{F2871465}
Normal ascii characters don’t do this and the page loads instantly.
Denial of Service anywhere a form contains a UsernameField that checks for errors.