How to test for NoSQL injections? Considering that the structure (or actually the non-structure) of NoSQL databases is very different from structured databases like MySQL, MSSQL or PostgreSQL.
Are their known tools, payload lists, tricks or other common practices (other then using a creative hackers-mindset), in order to test if a application is vulnerable to NoSQL injections?
A very-basic NoSQL injection can be studied here -- https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_sql_and_nosql_injection.html -- which is available from your testing tools if you install the purposely-insecure Nodegoat application.
This blog posts a discussion and video around a Node.js framework called Meteor that uses a backend NoSQL database, MongoDB -- http://blog.east5th.co/2016/03/21/nosql-injection-in-modern-web-applications/
The princples should apply to other NoSQL databases. For more on penetrating MongoDB (and other NoSQL data stores such as Redis, HBase, CouchDB, and Cassandra), check out this StackExchange answer -- https://security.stackexchange.com/a/96593/140 -- with another blog post specifically on MongoDB to check out here -- http://www.technopy.com/mongodb-injection-how-to-hack-mongodb-html/
For additional details with payload lists (aka wordlists), see this project -- https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/no-sql-injection
