$1,000 Bounty for Bypassing Restrictions via Modified HTTP Request

Hello,

here i want to publish one of my recent finding which helped me to earned $1,000 bounty

i reported normal Bruteforce to Target.com/user/xyz/login , unfortunately i got duplicate and first reporter got $500 bounty at Medium severity.

after 2 months, i see report has been fixed. Team disabled the /user/xyz/register and /user/xyz/login also but the Login form was still there, when i click submit it gives me “Error” even with Valid credentials.

i quickly opened Burp and viewed the request which looks like :-

OPTIONS /user/xyz/login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Priority: u=4
Te: trailers
Connection: keep-alive

I am unabe to see credentials which i used to Login, i quicky send this request to burp repeater , and just changed method from OPTIONS to POST , see below