If Json Applications are properly verifying the content type and have well configured crossdomain.xml, then why they still used csrf token?
Could anybody tell me , why they use csrf token ?
AFAIK, there is no way to execute csrf attack , if both above things are configured properly.
I assume that by Json Applications you mean a web service (HTTP API) which only accepts the JSON content type for incoming requests. Basically it is correct that if you check for JSON content type in all of your requests CSRF would not be possible since HTML forms only send url encoded / form data / plaintext content types and AJAX requests are blocked by the browser thanks to the same origin policy.
My understanding is that this is an extra security measure, applied as an automatic framework that adds the CSRF protection to all incoming requests, hence covering for some API call implementations which forgot to validate the content type such as GET requests that don't accept any content at all, or for allowing the usage of different content types in the API.
By the way - the crossdomain.xml file which you referred to is platform specific to Flash and Silverlight. The corresponding technology in HTTP terminology is called CORS (cross origin resource sharing) and one must make sure that CORS is not enabled by the server in order for your assumption to be correct.
