Add parameters like $lookup, $unionWith, and $match to your wordlist for testing. Any errors or hits on these might give a hint to a potential NoSQL injection.
Shout out to Soroush Dalili for this research!
Sign up to get updates from us
