The Chimera Web Scanner

June 12, 2017

 

When preparing to submit an App to the Salesforce AppExchange Security Review process, ensuring that all systems, including Salesforce and any non-Salesforce systems, adhere to development and security best practices is mandatory.  For applications entirely native to the Salesforce platform, the Force.com Security Scanner (Checkmarx) is sufficient.  When non-Salesforce systems are part of the app solution, additional scans are required; typically either Chimera or ZAP. 

 

The Chimera web scanner is a cloud based tool that is comprised of many various open-source tools running on Heroku and Salesforce infrastructure. It can be used when the non-Salesforce system(s) in question are publicly open

 

Requirements 

1. You must be a registered ISV Partner
 

2. The remote system must be a publicly accessible web application, simply meaning accessible via the public internet and not requires any additional network configuration (proxies, behind firewall, etc.). 
 

3. If the remote system requires authentication, a test account can be configured and provided prior to invoking a scan.
 

4. You should anticipate the scan requiring 4-16 hours before a findings report is provided.
 

5. Must have access to web server root to upload an "Abuse Prevention Token" .txt file (or have access to the right team members to do this for you)

 

Procedure


1. Log into the Chimera Portal and click on the “Login” link in the upper-right hand corner

 

 


2. If prompted, enter the credentials of your ISV Partner account

 

 

 

3. If this is the first time using Chimera with this ISV Partner account, you’ll be prompted to allow ChimeraApp access to your Salesforce org. Review the required permissions and click on the blue “Allow” button.

 

 

 

4. On the following screen, you’ll be prompted with a small block of terms of service language. Review and click on the “Accept” button.

 

 

 

5. You’ll now see the Chimera dashboard and any scans that have been previously ran or requested.

 

 

 

6. Before configuring a new scan, there is a pre-requisite step of uploading a .txt file to the root of the service being tested. This is referred to within Chimera’s portal as the “Abuse Prevention Token.” Click on the “Download Token” link in the menu bar along the top of the screen.

 

7. Review the instructions on the following screen. It will detail how you need to create a file called ChimeraToken.txt, which will contain your unique token, and that the file needs to be uploaded to the root of the remote system. Click on the “Download My Abuse Prevention Token” button to download the file.

 

8. If you have access to do so, upload the file to the server’s root; otherwise, provide the file and instructions to the necessary individual(s) to have this step completed for you.

 

9. The resulting file will look like the following image. Do not modify the file at all.

 

Not a valid token

 

10. Once the file is uploaded and in place, make sure you can access the file by going to <yourDomain>.com/ChimeraToken.txt. If you can download the file, great! If not, the Chimera tool will not be able to either, preventing your scan from running.
 

11. Assuming the above is ok, make your way back to the Chimera Portal and click on the “New Scan” link in the menu bar along the top of the screen
 

12. You’ll be presented with a form to complete the following details. Once provided, click on the blue “Submit Scan” button

a. Target: The URL of the service needing scanning

b. Do Not Scan: URI paths to omit in the scan

c. Testing Username: The username of a dedicated user for these scans

d. Testing Password: The password for the above username 

 

 

 

13. You’ll be taken back to the Chimera Portal’s dashboard where you’ll see your new request as well as its processing status.

 

 

 

14. The status will progress from “Queued” to “Working”
 

 

 

15. You’ll receive an email when the scan is complete.
 

 

 

16. If you’ve been monitoring the tool’s dashboard, you’ll notice the “Status” of your run is now “Completed.” Click on the blue “Download Results” button.

 

 

 

17. The download will be a standard .html file which can be opened in your web browser of choice.

 

Results

Below are two examples of sample results reports.  The first is of when the endpoint could not be accessed by Chimera as you’d likely see if the service were behind a firewall, down altogether, or the Chimera request was misconfigured.  The second is a report with some example findings in it - yours will vary greatly depending on services used and functionality exposed.

 

 

 

 

 

 

 

 

Please reload

Recent Posts
Please reload

CRM Science is an award-winning, strategic Salesforce Silver Consulting Partner focused on delivering practical end-to-end solutions to financial services institutions, manufacturing companies, senior living providers, and other industries. We partner with you throughout your Salesforce journey, specializing in developing business processes, implementation across the different Salesforce clouds, and integrating third-party solutions so you can innovate faster, better engage with customers and improve your bottom line with a unified system. 

We are recognized by Salesforce and were awarded the 2016 Partner Innovation Award for Connected Ecosystem, 2017 Partner Innovation Award for Einstein Analytics, 2018 Partner Innovation Award for Lightning Leadership, and 2019 Partner Innovation Award for Community Cloud.

Ready to find the solution to your Salesforce puzzle? Contact us at info@crmscience.com! 

Partner Innovation Award 2018
Partner Innovation Award 2017
Partner Innovation Award 2016
Philadelphia 100 fastest growing companies

Copyright © 2011-2019 CRM Science, Inc. All rights reserved.