fixup! Document web application vulnerability scanning procedure (#7021)

Author: dsotirho-ucsc

OPERATOR.rst

@@ -685,7 +685,9 @@ ZAP Setup
 
   - -> ``Network`` -> ``Rate Limit``, add and enable a 3 request per second rule
     for the match string ``anvilprod.org``, and another rule for the match
-    string ``humancellatlas.org``
+    string ``humancellatlas.org``. This is required to prevent the scans from
+    exceeding the WAF rate limits for the Azul APIs, and being temporarily
+    blocked by the wAF.
 
   - -> ``Check for Updates``:
 
@@ -697,7 +699,8 @@ Running an authenticated scan
 """""""""""""""""""""""""""""
 
 The process for running an authenticated scan is to first obtain an Azul
-authentication token, and then pass this to ZAP via an environment variable. See
+authentication token, and launch the ZAP application with the token set as
+an environment variable. See
 https://www.zaproxy.org/docs/getting-further/authentication/handling-auth-yourself/
 for more information.
 
@@ -719,7 +722,20 @@ for more information.
 
   - ``/Applications/ZAP.app/Contents/MacOS/ZAP.sh``
 
-- Continue with the desired scan
+- After the ZAP application has opened, follow the steps below to create a new
+  session and run a scan. The authorization token you provided will
+  automatically be used to authenticate requests made during the scan.
+
+ZAP Sessions
+""""""""""""
+
+With the ZAP application open, you must start a new session prior to running a
+new scan. Failure to do so can pollute the scan results with the findings from
+the previous scan.
+
+If you are promopted to with options to persist the ZAP session, select ``No, I
+do not want to persist this session`` and click ``Start``. You may now continue
+with the scan of your choice.
 
 Running a Portal / Browser scan
 """""""""""""""""""""""""""""""
@@ -736,7 +752,11 @@ Running a Portal / Browser scan
 
   - Click ``Attack``
 
-- Wait until all scans have completed, note ``Current Status`` in the ZAP footer
+- Wait until all the scans (Ajax spider, passive scans, etc.) have completed. In
+  practice, this can take up to four hours depending on the target URL. Note
+  that you will not recieve a notification when the scans have completed,
+  however you can see the ``Current Status`` in the ZAP window footer, and
+  proceed when all scan counts report ``0``.
 
 - Generate a report (see section below)
 
@@ -751,13 +771,17 @@ In order to run an API scan you must first import the OpenAPI definition.
 
   - Click "Import"
 
-You may now continue with an ``Automated Scan`` as detailed above. For the URL
-to attack, enter the base URL of the Azul indexer or service with no additional
-path (e.g. https://service.explore.anvilproject.org/).
+After importing the OpenAPI definitions, you may now follow the instructions
+above for running an ``Automated Scan``. When entering the URL to attack, use
+the base URL of the Azul indexer or service with no additional path components
+(e.g. https://service.explore.anvilproject.org/).
 
 Generating a ZAP Report
 """""""""""""""""""""""
 
+After a scan has completed, you can save a PDF export of the scan results with
+the ``Generate Report`` action.
+
 - From the menu, select ``Report`` -> ``Generate Report``
 
   - Template: Traditional PDF Report