Unlike injection attacks, forgery attacks don't require that the site that is being exploited be compromised, but instead requires that the design allows for attacks to be carried out from remote locations. Consider a banking application that allows the user to issue REST-based commands once the user is logged in. A malicious user on another Web site might place an image tag in their site like this:
amount=100000" width="0" height="0"
A more comprehensive mitigation would have the REST endpoint require an authentication key, session ID, or other unique identifier be provided with the request as a parameter. This would ensure that the requestor would have been issued the key directly.
Image source: https://commons.wikimedia.org/wiki/File:Usdollar100front.jpg
Image Author: U.S. Government