When preparing to submit an App to the Salesforce AppExchange Security Review process, ensuring that all systems, including Salesforce and any non-Salesforce systems, adhere to development and security best practices is mandatory. For applications entirely native to the Salesforce platform, the Force.com Security Scanner (Checkmarx) is sufficient. When non-Salesforce systems are part of the app solution, additional scans are required; typically either Chimera or ZAP.
The Chimera web scanner is a cloud based tool that is comprised of many various open-source tools running on Heroku and Salesforce infrastructure. It can be used when the non-Salesforce system(s) in question are publicly open
1. You must be a registered ISV Partner
2. The remote system must be a publicly accessible web application, simply meaning accessible via the public internet and not requires any additional network configuration (proxies, behind firewall, etc.).
3. If the remote system requires authentication, a test account can be configured and provided prior to invoking a scan.
4. You should anticipate the scan requiring 4-16 hours before a findings report is provided.
5. Must have access to web server root to upload an "Abuse Prevention Token" .txt file (or have access to the right team members to do this for you)
1. Log into the Chimera Portal and click on the “Login” link in the upper-right hand corner
2. If prompted, enter the credentials of your ISV Partner account
3. If this is the first time using Chimera with this ISV Partner account, you’ll be prompted to allow ChimeraApp access to your Salesforce org. Review the required permissions and click on the blue “Allow” button.
4. On the following screen, you’ll be prompted with a small block of terms of service language. Review and click on the “Accept” button.
5. You’ll now see the Chimera dashboard and any scans that have been previously ran or requested.
6. Before configuring a new scan, there is a pre-requisite step of uploading a .txt file to the root of the service being tested. This is referred to within Chimera’s portal as the “Abuse Prevention Token.” Click on the “Download Token” link in the menu bar along the top of the screen.
7. Review the instructions on the following screen. It will detail how you need to create a file called ChimeraToken.txt, which will contain your unique token, and that the file needs to be uploaded to the root of the remote system. Click on the “Download My Abuse Prevention Token” button to download the file.
8. If you have access to do so, upload the file to the server’s root; otherwise, provide the file and instructions to the necessary individual(s) to have this step completed for you.
9. The resulting file will look like the following image. Do not modify the file at all.
Not a valid token
10. Once the file is uploaded and in place, make sure you can access the file by going to <yourDomain>.com/ChimeraToken.txt. If you can download the file, great! If not, the Chimera tool will not be able to either, preventing your scan from running.
11. Assuming the above is ok, make your way back to the Chimera Portal and click on the “New Scan” link in the menu bar along the top of the screen
12. You’ll be presented with a form to complete the following details. Once provided, click on the blue “Submit Scan” button
a. Target: The URL of the service needing scanning
b. Do Not Scan: URI paths to omit in the scan
c. Testing Username: The username of a dedicated user for these scans
d. Testing Password: The password for the above username
13. You’ll be taken back to the Chimera Portal’s dashboard where you’ll see your new request as well as its processing status.
14. The status will progress from “Queued” to “Working”
15. You’ll receive an email when the scan is complete.
16. If you’ve been monitoring the tool’s dashboard, you’ll notice the “Status” of your run is now “Completed.” Click on the blue “Download Results” button.
17. The download will be a standard .html file which can be opened in your web browser of choice.
Below are two examples of sample results reports. The first is of when the endpoint could not be accessed by Chimera as you’d likely see if the service were behind a firewall, down altogether, or the Chimera request was misconfigured. The second is a report with some example findings in it - yours will vary greatly depending on services used and functionality exposed.