Asana P-15 — Tray postMessage origin regex bypass

Attacker origin:

This page demonstrates the cC = /https:\/\/((.*\.)?app|localhost)\.asana\.com/ unanchored-regex bypass against the Tray OAuth listener registered on app.asana.com.

Step 1: Open victim window (stub of the listener at victim.app.asana.com.r0hn.de — uses the verbatim listener code from bundle.beautified.js L731273-L731308).