NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database.

To find it test URLs parameters, body parameters, form fields, cookies (session, fehost, TrackingIds related to analytics and any non-standard field), User-Agent and any other non-standard Header.

• {"username":{"$regex": "admin.*"},"password":{"$ne":""}}
• {"name":"username", "password": {"$ne":"0"}}

• Run a wordlist. When trying to fuzz a URL with a wordlist we need to do it with the '=' character in the payload position and without it there. Also, try it with and without URL encoding.
• Try a boolean condition that always evaluates to true. For example: ?category=Gifts'||1||' or ?category=Gifts'||'a'=='a.

More payloads at: PayloadsAllTheThings.