However, CSRF tokens are still the most effective way at preventing CSRF attacks. This attack is a brute force attack against the CSRF token. As the article states,
[The attack] was able to find two five-figure tokens in under seven minutes.Luckily, the normal CSRF token is much more complex. For example, here is a token generated through ESAPI (ie CSRF Guard)
G8bGdoWkA3GVARPOKsmzQUplynLJ0to1A token with this level of complexity would not be brute forced in any reasonable amout of time. And consider this, if we could brute force this sort of value in a resonable time frame, then we would brute force the sessionID instead and just take over the user's session with the application!