Cross-site Request Forgery (CSRF) is typically linked to cookies. When you develop RESTful services with ASP.NET Web API, chances are likely that you are keeping away from cookies. Yet, ASP.NET Web API based services can be prone to CSRF attacks.
Create a new action method to an existing or a new MVC controller, with view containing the code below.
Since we use basic authentication, you can deploy the ASP.NET application in IIS and enable HTTPS, if you want to get as close as possible to production setup.
With that, go to the URL corresponding to the action method and view we just created. Click on Get button. Browser will popup a dialog and ask for the credentials. Enter them to see the API response getting rendered in unordered list. From this point onwards, until you close the browser, these credentials are cached and browser sends the authorization header with the credentials in all the subsequent requests to the same API.
Say you go to a page with HTML like this.
<img height="0" width="0" src="https://server/yourapp/api/values"/>