zaproxy · tenaz3 · Sep 8, 2025 · Sep 10, 2025
diff --git a/addOns/client/CHANGELOG.md b/addOns/client/CHANGELOG.md
@@ -4,7 +4,9 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
-
+### Added
+- Optional `numberOfBrowsers` parameter for the Client Spider API action `scan` to control concurrency (number of browser windows).
+- Optional `scopeCheck` parameter for the Client Spider API action `scan` to select Scope Check (Flexible or Strict).
 
 ## [0.17.0] - 2025-09-02
 ### Added

diff --git a/addOns/client/src/main/java/org/zaproxy/addon/client/spider/ClientSpiderApi.java b/addOns/client/src/main/java/org/zaproxy/addon/client/spider/ClientSpiderApi.java
@@ -29,6 +29,7 @@
 import org.parosproxy.paros.model.Model;
 import org.parosproxy.paros.model.SiteNode;
 import org.zaproxy.addon.client.ClientOptions;
+import org.zaproxy.addon.client.ClientOptions.ScopeCheck;
 import org.zaproxy.addon.client.ExtensionClientIntegration;
 import org.zaproxy.zap.extension.api.ApiAction;
 import org.zaproxy.zap.extension.api.ApiException;
@@ -63,6 +64,8 @@ public class ClientSpiderApi extends ApiImplementor {
     private static final String PARAM_USER_NAME = "userName";
     private static final String PARAM_MAX_CRAWL_DEPTH = "maxCrawlDepth";
     private static final String PARAM_PAGE_LOAD_TIME = "pageLoadTime";
+    private static final String PARAM_NUMBER_OF_BROWSERS = "numberOfBrowsers";
+    private static final String PARAM_SCOPE_CHECK = "scopeCheck";
 
     private final ExtensionClientIntegration extension;
 
@@ -84,7 +87,9 @@ public ClientSpiderApi(ExtensionClientIntegration extension) {
                                 PARAM_USER_NAME,
                                 PARAM_SUBTREE_ONLY,
                                 PARAM_MAX_CRAWL_DEPTH,
-                                PARAM_PAGE_LOAD_TIME)));
+                                PARAM_PAGE_LOAD_TIME,
+                                PARAM_NUMBER_OF_BROWSERS,
+                                PARAM_SCOPE_CHECK)));
 
         addApiAction(new ApiAction(ACTION_STOP_SCAN, List.of(PARAM_SCAN_ID)));
 
@@ -152,6 +157,13 @@ private ApiResponse startScan(String name, JSONObject params) throws ApiExceptio
         if (params.containsKey(PARAM_PAGE_LOAD_TIME)) {
             options.setPageLoadTimeInSecs(ApiUtils.getIntParam(params, PARAM_PAGE_LOAD_TIME));
         }
+        if (params.containsKey(PARAM_NUMBER_OF_BROWSERS)) {
+            options.setThreadCount(ApiUtils.getIntParam(params, PARAM_NUMBER_OF_BROWSERS));
+        }
+        if (params.containsKey(PARAM_SCOPE_CHECK)) {
+            options.setScopeCheck(
+                    ApiUtils.getOptionalEnumParam(params, PARAM_SCOPE_CHECK, ScopeCheck.class));
+        }
 
         User user = getUser(params, context);
 

diff --git a/...client/src/main/javahelp/org/zaproxy/addon/client/resources/help/contents/spider-api.html b/...client/src/main/javahelp/org/zaproxy/addon/client/resources/help/contents/spider-api.html
@@ -19,7 +19,7 @@ <H2>Views</H2>
 
 <H2>Actions</H2>
 <ul>
-<li><code>scan (browser url contextName userName subtreeOnly maxCrawlDepth pageLoadTime)</code>: Runs the Client Spider against the given URL and/or context. Returns the scanId.</li>
+<li><code>scan (browser url contextName userName subtreeOnly maxCrawlDepth pageLoadTime numberOfBrowsers scopeCheck)</code>: Runs the Client Spider against the given URL and/or context. Returns the scanId.</li>
 <li><code>stop (scanId*)</code>: Stops a Client Spider scan.</li>
 </ul>
 
@@ -32,13 +32,15 @@ <H2>Parameters</H2>
 <li><code>subtreeOnly</code>: If set to 'true', the spider will only scan URLs under the specified URL. Default: 'false'.</li>
 <li><code>maxCrawlDepth</code>: The maximum depth the spider should crawl, where 0 is unlimited. Defaults to client options.</li>
 <li><code>pageLoadTime</code>: The time in seconds to wait for a page to load. Defaults to client options.</li>
+<li><code>numberOfBrowsers</code>: Number of Browser Windows to Open (concurrency). Integer, defaults to client options.</li>
+<li><code>scopeCheck</code>: Scope Check mode, either <code>FLEXIBLE</code> (default) or <code>STRICT</code>.</li>
 <li><code>scanId</code>: The ID of the scan to query or manage.</li>
 </ul>
 
 <H2>Examples</H2>
 <H3>Start a scan:</H3>
 <pre><code>
-https://zap/JSON/clientSpider/action/scan/?url=https://example.com&maxCrawlDepth=5&pageLoadTime=30
+https://zap/JSON/clientSpider/action/scan/?url=https://example.com&maxCrawlDepth=5&pageLoadTime=30&numberOfBrowsers=1&scopeCheck=STRICT
 </code></pre>
 
 <H3>Check status:</H3>

diff --git a/addOns/client/src/main/resources/org/zaproxy/addon/client/resources/Messages.properties b/addOns/client/src/main/resources/org/zaproxy/addon/client/resources/Messages.properties
@@ -31,7 +31,9 @@ client.clientSpider.api.action.scan = Starts a client spider scan.
 client.clientSpider.api.action.scan.param.browser = The ID of the browser. See Selenium documentation for valid IDs.
 client.clientSpider.api.action.scan.param.contextName = The name of the context.
 client.clientSpider.api.action.scan.param.maxCrawlDepth = Maximum Crawl Depth (0 is unlimited).
+client.clientSpider.api.action.scan.param.numberOfBrowsers = Number of Browser Windows to Open (concurrency).
 client.clientSpider.api.action.scan.param.pageLoadTime = Page Load Time (seconds).
+client.clientSpider.api.action.scan.param.scopeCheck = Scope Check (FLEXIBLE or STRICT).
 client.clientSpider.api.action.scan.param.subtreeOnly = true to spider only under the subtree, false otherwise.
 client.clientSpider.api.action.scan.param.url = The URL from where to start the spider.
 client.clientSpider.api.action.scan.param.userName = The name of the user.