Where we have to upload Chimera abuse prevention token and what is Target URL in the New Scan page

Its important to understand that Chimera scan assumes you own the site or the app (Note its not your force.com app but an external app thats integrated with the force.com app)you are scanning .It implies you have built the external app (Not force.com app) and you have access to the root of the application .

Look at this answer to get a feel how this can be done for Node.js application .Same can be applied to Java or php apps .You need to keep the token file in the root folder .

The target there is your site url .Again not your force.com URL .Lets say your force.com app integrates with a website https://www.sample.com then the target will be https://www.sample.com.

Note that Chimera Report is needed for only external apps and in case you do not have access to the code base of the application you are integrating(lets say amazon or google API) then submit a ZAP report or if your client is ready to spend some $$$ you can go for BURP