Are JSON web services vulnerable to CSRF attacks?

Question

I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).

Is a web service vulnerable to

Answer 1

It is possible to do CSRF on JSON based Restful services using Ajax. I tested this on an application (using both Chrome and Firefox). You have to change the contentType to text/plain and the dataType to JSON in order to avaoid a preflight request. Then you can send the request, but in order to send sessiondata, you need to set the withCredentials flag in your ajax request. I discuss this in more detail here (references are included):

http://wsecblog.blogspot.be/2016/03/csrf-with-json-post-via-ajax.html