Re: [Burp-users] Niggle: Windows Burp 2.2.4 writes to Program Files folder

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I don't know if there are rules on this list for putting replies before or after a post. Let me know if I'm not well behaved so I can adjust.

I noticed that your Windows installer detects when Burp is already installed, and in this case, it silently installs without prompting for all details of a first-time installation. Which is a very nice touch by the way, there are very few Windows installers that do this, most of them ask again and again the same stupid questions like "Do you want a desktop icon?", "Do you want to check for updates?", "Do you want to run the program now?"... at each fricking installation.

So I would suggest to leave existing installations alone and not update them to use the %PROGRAMDATA% scheme. Only new installations would be set up to use %PROGRAMDATA%. That would be simpler from an implementation point of view. However this would create a "fork" that could make tech support a bit more difficult. There is a choice to be made between either trade-off.

Regarding the different Windows versions, there is only one difference between Windows XP and all versions that came after. Vista to Windows 10, and all associated Server versions, use the same %PROGRAMDATA% folder (C:\ProgramData by default). So there is not a lot of complication here, if any, unless you want to continue supporting Windows XP in the future. That is of course your choice, but even Microsoft doesn't support it anymore, and hasn't been for a while. You could draw a line in the sand and decide that starting with Burp version 2.x, Windows XP is not supported, but older Burp versions are still available for Windows XP (e.g. 2.1.32).

Can you disclose what installer product you use? Does it have a scripting capability?

Xavier S.

On Tuesday, June 12, 2018, 8:10:27 AM GMT+2, Graham Keeling <gr...@gr...> wrote: 

On Tue, Jun 12, 2018 at 03:17:00AM +0000, Iznohak via Burp-users wrote:
> Sorry for the flood of posts, I hope you don't mind :)
> 
> By default the Windows version of Burp is set up so that its data files are located in its installation directory within %PROGRAMFILES% (typically C:\Program Files). The burp.conf file, which may need to be edited, the CA directory, the certificate and key files, the lock file, they are all stored under Program Files.
> 
> This is heresy! This is akin to storing all this stuff under /usr/bin or /usr/lib on Linux/Unix :)
> 
> I'd suggest that they be put instead in a Burp folder inside %PROGRAMDATA% (typically C:\ProgramData) which is expressly designed for this purpose.
> 
> I'm not trying to be pedantic just for the sake of it. Using %PROGRAMDATA% instead of %PROGRAMFILES% would certainly please the IT types, but let me give you a practical reason for it that may benefit everybody.
> 
> The need to... yes, you guessed it... backup these data files (configuration, certificates, ...). It's more likely that one may chose to backup the entire %PROGRAMDATA% folder, because it contains unique and irreplaceable data, while exluding %PROGRAMFILES% that doesn't contain anything that can't be easily replaced (by reinstalling or reimaging).
> 
> In fact, I've set things up just like that manually on my Windows machines, and everything is working nicely. The main differences are some settings in burp.conf to point to the right location, and specifying -c <path-to-conf> in the Task Scheduler task.
> 
> The only thing I can't vouch for is the automated burp client CSR/certificate installation, because I generate the certificates with another CA and install them manually, but looking at burp_ca.bat it seems that it might just need changing a few paths. Another possible complication is that under Windows XP, which is apparently still supported(?) by Burp, there is no %PROGRAMDATA% but some other directory with another name and location but same purpose.
> 
> There is one downside to using %PROGRAMDATA% that could be a dealbreaker for some: it's hidden.
> 
> Let me know if you think this is worth further consideration, and I'll log an issue in GitHub.
> 
> Xavier S.

Hello,

I think it is a laudable thing to do.

I think it might possibly be really really annoying to implement, because
it would need to cope with many versions of Windows, like you say, and it
would also need to cope with upgrading on top of existing burp installations.

But I think it is fine to go on github.