Winsock Error 10053 When Sending Modified HTTP Requests with PHP Code (BurpSuite, Windows 11)

Hello,

I'm experiencing a very strange issue on Windows 11 related to network connections when sending modified HTTP requests through BurpSuite (or other proxies like OWASP ZAP and Caido). The issue seems to be related to Winsock, as I receive the error 10053 – "An established connection was aborted by the software in your host machine."

Issue Description:
I'm working on a File Upload vulnerability test on HackTheBox, where I need to upload a modified file with a .php extension. To do this, I intercept the request in BurpSuite, modify the filename, Content-Type, MIME type, and file content (inserting a simple PHP web shell), and then send the request to the target server.

However, as soon as I include any PHP code in the request body (even a simple <?php echo "hello"; ?>), the connection is immediately aborted with error 10053.

If I send a request with just the GIF magic bytes (GIF8;) but no PHP code, the request goes through successfully.

The issue happens only when PHP code is present in the payload.

The error occurs instantly, meaning the packet is never even sent to the target server.

What I've Tried So Far:

• Disabled Windows Defender (firewall + real-time protection) → No effect.
• Used a VPN (ProtonVPN) → No effect (same behavior).
• Captured packets with a protocol analyzer:
  • When PHP code is included, I see a TCP SYN → SYN-ACK → RST sequence, meaning the connection is forcefully closed by my own machine before sending any data.
• Tried different web proxies (OWASP ZAP, Caido) → Same error.
• Checked with another person using the same VPN & target machine on Kali Linux → It worked perfectly.
• Looked at Windows Event Viewer logs → No clear indications of blocking behavior.
• Tried running BurpSuite as Administrator → No effect.
• Checked Windows Filtering Platform (WFP) rules with netsh wfp show filters → No obvious blocking rules detected.

Observations:

This seems to be specific to Windows 11, since the same steps work fine on Kali Linux.

• The RST packet is being sent from my local machine, suggesting something on Windows is detecting PHP code in the request and blocking it.
• It does not seem to be a normal firewall rule, since disabling Defender does not fix it.

Questions:

• Could Windows 11 have a hidden Deep Packet Inspection (DPI) mechanism that is detecting PHP code and blocking the connection?
• How can I identify what software/service is interfering with Winsock and causing error 10053?Are there any advanced Winsock diagnostics I can perform to debug this issue?
• Could this be related to Windows Filtering Platform (WFP)? If so, how can I verify if WFP is interfering?

Any insights or troubleshooting steps would be greatly appreciated! Thank you.