Hi Matthew,
>> wondering if NetTalk has any CSRF built in, and if so what does it use?
There are some mitigations, yes.
a) all cookies are marked as HTTP only - this means they cannot be read by JavaScript. Also all cookies on SSL connections are marked SECURE, meaning they cannot be used over insecure connections. ( these are somewhat tangential to your CSRF question, but they come into play.)
b) All forms contain a "FormState" value. Without a valid FormState the POST to submit the form will not work. The FormState is tied to the session, and is generated uniquely when the Form is generated.
Therefore a simple POST as described by Troy will not work. NetTalk forms don't just work with a POST.
So, in order for an attack like this to work, at the very least the code would need to include some JavaScript which first fetched the form, and then parsed out the Formstate, and then pushed an answer. But then Same Origin Policy comes into play, and should prevent that. (I've added a template option in 9.27 to make that easier to set.)
That said Troy raises an interesting point about API's. API's work differently to Forms, and I'd need to think a bit about what's involved with regard to API's and preventing API attacks of this nature...
Cheers
Bruce