I just read this article in the June MSDN magazine by Peter Vogel and thought it needed to be highlighted. If you're using WebAPI you should think about Cross-Site Request Forgeries. It also applies to the 70-487 test.
"ASP.NET doesn’t automatically protect you against Cross-Site Request Forgery (CSRF/XSRF) attacks (more on that later)."
"When a user accesses an ASP.NET site using Forms Authentication, ASP.NET generates a cookie that stipulates the user is authenticated. The browser will continue to send that cookie on every subsequent request to the site, no matter from where that request originates. This opens your site to CSRF attacks, as does any authentication scheme where the browser automatically sends authentication information previously received. If, after your site provides the browser with the security cookie, the user visits some malicious site, then that site can send requests to your service, piggy-backing on the authentication cookie the browser received earlier.
To prevent CSRF attacks, you’ll need to generate antiforgery tokens at the server and embed them in the page to be used in your client-side calls. Microsoft provides the AntiForgery class with a GetToken method that will generate tokens specific to the user who made the request (who may, of course, be the anonymous user)." (continue reading for code examples and more information.
He also shows how to do custom authentication using an HTTPModule or MessageHandler by inheriting from DelegatingHandler.
http://msdn.microsoft.com/en-us/magazine/dn201748.aspx
NOTE: Preventing Cross Site Scripting Attacks in ASP.NET MVC 4 is related, but for MVC 4.