sympmarc,
Sharepoint Web Services are susceptible to Cross Site Request Forgery attacks if they do not validate a form digest or can not validate the X-RequestDigest value. Based on the security validation document for Sharepoint
http://msdn.microsoft.com/en-us/library/gg552614%28v=office.14%29.aspx#bestpractice_crossrequest
one should be able to attach the X-RequestDigest header to a web service call. I have however tried adding random values to the X-RequestDigest header and sent requests to sharepoint web services and there has been no validation.
Can anyone validate that they have seen the same behaviour or if there is anything that can be done to prevent CSRF on Sharepoint web services.