NoSQL doesn't mean no injection. MongoDB's $ne, $gt, $regex operators are injection primitives and most scanners miss them entirely. Auth bypass in one JSON body. Blind extraction via $regex one char at a time. $where for timing attacks when server-side JS is enabled. CouchDB Admin Party for legacy targets.
NoSQL Injection: Breaking MongoDB From the Inside
Operator injection, authentication bypass with $ne and $regex, blind boolean extraction, time-based $where detection, CouchDB default access, and automation tools
Kayssel (www.kayssel.com)