Background
In essence, CSRF revolves around a malicious website, phishing email, third-party program or things of such nature, attempting to cause the victim's web browser (i.e. Chrome) to do something they do not wish to do.
For example - You play a videogame named X which allows you, as a player, to have a certain amount of currency that you can purchase, sell and trade with other players.
You then receive a cool email saying you can win a lot of gold, by clicking this link. The user clicks the link and suddenly transfers all his belongings to the malicious user's account without knowing, all through a simple HTTP request. :-(
Protection methods (For Web Services [No UI])
Now in many cases, web applications make use of:
- Anti-CSRF tokens
- CAPTCHAs
- Re-authentication (log the user out)
However for a REST service, the case shifts slightly. You would need to make use of a custom request header such as the -
X-Requested-With
The reason behind it is as follows (quoting OWASP's article which I highly recommend reading) -
"This defense relies on the same-origin policy (SOP) restriction that only JavaScript can be used to add a custom header, and only within its origin. By default, browsers don't allow JavaScript to make cross origin requests."
Resources
I have listed a few resources that you may want to go over. CSRF is quite an interesting vulnerability that bridges security flaws with social engineering. Hopefully you will find them useful.