The HTTP protocol uses CRLF sequences to end headers, lines and so on. When input vectors are reflected in the HTTP responses, if attackers can inject CRLF sequences, they can craft an arbitrary HTTP response. For example, this could lead to reflected XSS as the attackers would have the ability to inject arbitrary HTML content in the response.
Testers need to find input vectors that could be reflected in HTTP responses.
GET or POST parameters (like page, id, language, lang...)
For example, in the following request line, the GET parameter page is not sanitized enough and a CRLF sequence (%0D%0A) can be injected.