HTTP API
Bullet Force has a HTTP API that's mostly used for account-related operations. It's hosted at https://server.blayzegames.com/OnlineAccountSystem/
and appears to be a PHP server proxied behind Cloudflare.
This book won't cover any potential exploits in the Bullet Force server that could lead to information disclosure, denial of service, arbitrary code execution or other traditional security vulnerabilities. This book is a guide to Bullet Force and Photon internals, it's not a guide on how to illegally compromise server infrastructure you don't own.
Readers are strongly encouraged to responsibly disclose any security issues to the Bullet Force developers, and are reminded that exploiting such security issues is illegal and can result in legal penalties.