CSRF hacks invoves posting the data into a valid URL that requires authentication. The hack will depend on an authentication token that is available in the browser’s cache and when the bad URL does the post, the browser will use the cached credentials. Even if we have a WebAPI backed application, this same loophole will exist. In fact, even when WebAPI with Basic Authentication is enabled, the hack will be a little easier to execute because the browsers caches Basic Auth to prevent promoting for authentication for each resource they are getting.
Read the tutorial on how to prevent CSRV hacks here:Â http://www.dotnetcurry.com/ShowArticle.aspx?ID=890