Understanding CSRF

Question

I don\'t understand how using a \'challenge token\' would add any sort of prevention: what value should compared with what?

From OWASP:

In gen

Answer 1

Is there any alternative other than appending the token to every single URL as a query string? Seems very ugly and impractical, and makes bookmarking harder for the user.

There is no reason to append the token to every URL on your site, as long as you ensure that all GET requests on your site are read-only. If you are using a GET request to modify data on the server, you'd have to protect it using a CSRF token.

The funny part with CSRF is that while an attacker can make any http request to your site, he cannot read back the response.

If you have GET urls without a random token, the attacker will be able to make a request, but he won't be able to read back the response. If that url changed some state on the server, the attackers job is done. But if just generated some html, the attacker has gained nothing and you have lost nothing.