I can define a url as defined in here: http://developers.box.com/oauth/
and if I don't specify a redirection in the url, that is what is going to be used, but what happens if I specify a redirection url during application creation AND in the URL? Which one should take precedence?
If you define both, then the one on the url must match the one defined during application creation or you should get an error redirect_uri_mismatch shown to the end user.
This error is explained towards the bottom of the page in the table of errors http://developers.box.com/oauth/
They also explain that redirect_uri_mismatch is one of four errors that are shown directly to the end users from a Box error page, and not returned to your application.
For security against at least one type of attack set it at creation time! Then I would just omit it from the url.
I'm linking to oauth.net if you want more info on the attack I am referring to http://oauth.net/advisories/2014-1-covert-redirect/